From 4d34a77d34e354b24ce8f1ce5bb349d9024b5e1b Mon Sep 17 00:00:00 2001 From: Nikos Bregiannis Date: Wed, 16 Aug 2017 21:55:52 -0700 Subject: [PATCH 1/7] [vppd] Partially implemented ACLs & modified ovs dependency in policyState --- drivers/vppd/vppdriver.go | 131 ++++++++++++++++++++++++++++- netmaster/mastercfg/policyState.go | 22 ++--- 2 files changed, 141 insertions(+), 12 deletions(-) diff --git a/drivers/vppd/vppdriver.go b/drivers/vppd/vppdriver.go index 7f0b13871..cc59df603 100644 --- a/drivers/vppd/vppdriver.go +++ b/drivers/vppd/vppdriver.go @@ -32,6 +32,7 @@ import ( agent_core "github.com/ligato/cn-infra/core" "github.com/ligato/vpp-agent/clientv1/linux/localclient" "github.com/ligato/vpp-agent/flavours/linuxlocal" + vpp_acl "github.com/ligato/vpp-agent/plugins/defaultplugins/aclplugin/model/acl" vpp_if "github.com/ligato/vpp-agent/plugins/defaultplugins/ifplugin/model/interfaces" vpp_l2 "github.com/ligato/vpp-agent/plugins/defaultplugins/l2plugin/model/l2" linux_if "github.com/ligato/vpp-agent/plugins/linuxplugin/model/interfaces" @@ -54,6 +55,11 @@ type NetworkConfig struct { endpoints map[string]EndpointConfig // Endpoint ID -> Endpoint Config } +// ACLConfig stores ACL configuration for a given network. +type ACLConfig struct { + acl *vpp_acl.AccessLists_Acl // ACL +} + // VppDriverOperState carries operational state of the VppDriver. type VppDriverOperState struct { core.CommonState @@ -61,6 +67,8 @@ type VppDriverOperState struct { // Cached currently applied configuration of networks and endpoints. LocalNetConfig map[string]NetworkConfig // Network ID -> Network config localNetConfigMutex sync.Mutex + LocalACLConfig map[string]ACLConfig // Network ID -> ACL config + localACLConfigMutex sync.Mutex } // Write the state @@ -607,7 +615,128 @@ func (d *VppDriver) InspectNameserver() ([]byte, error) { // AddPolicyRule is not implemented func (d *VppDriver) AddPolicyRule(id string) error { - log.Infof("Not implemented") + ruleCfg := &mastercfg.CfgPolicyRule{} + ruleCfg.StateDriver = d.oper.StateDriver + err := ruleCfg.Read(id) + if err != nil { + log.Errorf("Failed to read ruleCfg \n") + return err + } + + d.oper.localACLConfigMutex.Lock() + _, exists := d.oper.LocalACLConfig[id] + d.oper.localACLConfigMutex.Unlock() + if exists { + err = fmt.Errorf("Network id='%s' is already configured", id) + log.Error(err.Error()) + return err + } + + vppRule := &ruleCfg.OfnetPolicyRule + aclcfg := ACLConfig{} + + // Action rule to be VPP specific + if vppRule.Action == "allow" { + aclcfg.acl = &vpp_acl.AccessLists_Acl{ + Rules: []*vpp_acl.AccessLists_Acl_Rule{}, + } + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_PERMIT, + }, + }, + ) + } else if vppRule.Action == "deny" { + aclcfg.acl = &vpp_acl.AccessLists_Acl{ + Rules: []*vpp_acl.AccessLists_Acl_Rule{}, + } + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_DENY, + }, + }, + ) + } + + // Src/DstNetwork choice based on protocol + if vppRule.IpProtocol == 6 { + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ + DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + }, + }, + }, + }, + ) + } else if vppRule.IpProtocol == 17 { + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ + DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + }, + }, + }, + }) + } else { + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + }, + }, + }, + ) + } + log.Infof("ACL config: %v", aclcfg) + + err = localclient.DataChangeRequest(vppDriverID). + Put(). + ACL(aclcfg.acl). + Send(). + ReceiveReply() + + if err != nil { + log.Errorf("Failed to create network id='%s', Err: %v", id, err) + return err + } + + // Store the network configuration + d.oper.localACLConfigMutex.Lock() + d.oper.LocalACLConfig[id] = aclcfg + d.oper.localACLConfigMutex.Unlock() return nil } diff --git a/netmaster/mastercfg/policyState.go b/netmaster/mastercfg/policyState.go index da5b733c8..495b04442 100644 --- a/netmaster/mastercfg/policyState.go +++ b/netmaster/mastercfg/policyState.go @@ -286,12 +286,12 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet log.Fatalf("Unknown rule direction %s", dir) } - // Add the Rule to policyDB - err = ofnetMaster.AddRule(ofnetRule) - if err != nil { - log.Errorf("Error creating rule {%+v}. Err: %v", ofnetRule, err) - return nil, err - } + // // Add the Rule to policyDB + // err = ofnetMaster.AddRule(ofnetRule) + // if err != nil { + // log.Errorf("Error creating rule {%+v}. Err: %v", ofnetRule, err) + // return nil, err + // } // Send AddRule to netplugin agents err = addPolicyRuleState(ofnetRule) @@ -373,11 +373,11 @@ func (gp *EpgPolicy) DelRule(rule *contivModel.Rule) error { for _, ofnetRule := range ruleMap.OfnetRules { log.Infof("Deleting rule {%+v} from policyDB", ofnetRule) - // Delete the rule from policyDB - err := ofnetMaster.DelRule(ofnetRule) - if err != nil { - log.Errorf("Error deleting the ofnet rule {%+v}. Err: %v", ofnetRule, err) - } + // // Delete the rule from policyDB + // err := ofnetMaster.DelRule(ofnetRule) + // if err != nil { + // log.Errorf("Error deleting the ofnet rule {%+v}. Err: %v", ofnetRule, err) + // } // Send DelRule to netplugin agents err = delPolicyRuleState(ofnetRule) From e6ac70f9f4bc6332a61872cd18adcd4ab7dcc1ae Mon Sep 17 00:00:00 2001 From: Nikos Bregiannis Date: Wed, 16 Aug 2017 22:17:11 -0700 Subject: [PATCH 2/7] minor visual changes --- drivers/vppd/vppdriver.go | 111 +++++++++++++++++--------------------- 1 file changed, 49 insertions(+), 62 deletions(-) diff --git a/drivers/vppd/vppdriver.go b/drivers/vppd/vppdriver.go index cc59df603..25c39ba1c 100644 --- a/drivers/vppd/vppdriver.go +++ b/drivers/vppd/vppdriver.go @@ -634,91 +634,78 @@ func (d *VppDriver) AddPolicyRule(id string) error { vppRule := &ruleCfg.OfnetPolicyRule aclcfg := ACLConfig{} - + aclcfg.acl = &vpp_acl.AccessLists_Acl{ + Rules: []*vpp_acl.AccessLists_Acl_Rule{}, + } // Action rule to be VPP specific if vppRule.Action == "allow" { - aclcfg.acl = &vpp_acl.AccessLists_Acl{ - Rules: []*vpp_acl.AccessLists_Acl_Rule{}, - } - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_PERMIT, - }, + aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ + Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_PERMIT, }, - ) + }) } else if vppRule.Action == "deny" { - aclcfg.acl = &vpp_acl.AccessLists_Acl{ - Rules: []*vpp_acl.AccessLists_Acl_Rule{}, - } - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_DENY, - }, + aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ + Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_DENY, }, - ) + }) } // Src/DstNetwork choice based on protocol if vppRule.IpProtocol == 6 { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, + aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ + DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), }, - Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ - DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, + SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), }, }, }, }, - ) + }) } else if vppRule.IpProtocol == 17 { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, + aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ + DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), }, - Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ - DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, + SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), }, }, }, - }) + }, + }) } else { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, - }, + aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, }, }, }, - ) + }) } log.Infof("ACL config: %v", aclcfg) From 3d8af2142db687719fcc5388e36ecd7849c79813 Mon Sep 17 00:00:00 2001 From: Nikos Bregiannis Date: Wed, 16 Aug 2017 23:29:16 -0700 Subject: [PATCH 3/7] test deny/allow rules --- drivers/vppd/vppdriver.go | 147 +++++++++++++++++++++----------------- 1 file changed, 83 insertions(+), 64 deletions(-) diff --git a/drivers/vppd/vppdriver.go b/drivers/vppd/vppdriver.go index 25c39ba1c..52a7467ed 100644 --- a/drivers/vppd/vppdriver.go +++ b/drivers/vppd/vppdriver.go @@ -634,79 +634,98 @@ func (d *VppDriver) AddPolicyRule(id string) error { vppRule := &ruleCfg.OfnetPolicyRule aclcfg := ACLConfig{} - aclcfg.acl = &vpp_acl.AccessLists_Acl{ - Rules: []*vpp_acl.AccessLists_Acl_Rule{}, - } + // Action rule to be VPP specific if vppRule.Action == "allow" { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ - Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_PERMIT, - }, - }) - } else if vppRule.Action == "deny" { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ - Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_DENY, - }, - }) - } - - // Src/DstNetwork choice based on protocol - if vppRule.IpProtocol == 6 { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, - }, - Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ - DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - }, - }, - }, - }) - } else if vppRule.IpProtocol == 17 { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, - }, - Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ - DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, + aclcfg.acl = &vpp_acl.AccessLists_Acl{ + Rules: []*vpp_acl.AccessLists_Acl_Rule{ + { + Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_PERMIT, }, }, }, - }) - } else { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, + } + } else if vppRule.Action == "deny" { + aclcfg.acl = &vpp_acl.AccessLists_Acl{ + Rules: []*vpp_acl.AccessLists_Acl_Rule{ + { + Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_DENY, }, }, }, - }) + } } + + // // Src/DstNetwork choice based on protocol + // if vppRule.IpProtocol == 6 { + // aclcfg.acl = &vpp_acl.AccessLists_Acl{ + // Rules: []*vpp_acl.AccessLists_Acl_Rule{ + // { + // Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + // IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + // Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + // DestinationNetwork: vppRule.DstIpAddr, + // SourceNetwork: vppRule.SrcIpAddr, + // }, + // Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ + // DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ + // LowerPort: uint32(vppRule.DstPort), + // UpperPort: uint32(vppRule.DstPort), + // }, + // SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ + // LowerPort: uint32(vppRule.DstPort), + // UpperPort: uint32(vppRule.DstPort), + // }, + // }, + // }, + // }, + // }, + // }, + // } + // } else if vppRule.IpProtocol == 17 { + // aclcfg.acl = &vpp_acl.AccessLists_Acl{ + // Rules: []*vpp_acl.AccessLists_Acl_Rule{ + // { + // Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + // IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + // Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + // DestinationNetwork: vppRule.DstIpAddr, + // SourceNetwork: vppRule.SrcIpAddr, + // }, + // Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ + // DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ + // LowerPort: uint32(vppRule.DstPort), + // UpperPort: uint32(vppRule.DstPort), + // }, + // SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ + // LowerPort: uint32(vppRule.DstPort), + // UpperPort: uint32(vppRule.DstPort), + // }, + // }, + // }, + // }, + // }, + // }, + // } + // } else { + // aclcfg.acl = &vpp_acl.AccessLists_Acl{ + // Rules: []*vpp_acl.AccessLists_Acl_Rule{ + // { + // Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + // IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + // Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + // DestinationNetwork: vppRule.DstIpAddr, + // SourceNetwork: vppRule.SrcIpAddr, + // }, + // }, + // }, + // }, + // }, + // } + // } + log.Infof("ACL config: %v", aclcfg) err = localclient.DataChangeRequest(vppDriverID). From 33fd7c63e71f3733a8478ac80c8d2e262a42c27b Mon Sep 17 00:00:00 2001 From: Nikos Bregiannis Date: Thu, 17 Aug 2017 10:18:04 -0700 Subject: [PATCH 4/7] merge fix --- drivers/vppd/vppdriver.go | 109 -------------------------------------- 1 file changed, 109 deletions(-) diff --git a/drivers/vppd/vppdriver.go b/drivers/vppd/vppdriver.go index f3ffaeebf..3a68208cb 100644 --- a/drivers/vppd/vppdriver.go +++ b/drivers/vppd/vppdriver.go @@ -69,13 +69,9 @@ type VppDriverOperState struct { // Acquire locks in the order as they are listed here to prevent from a potential deadlock! LocalNetConfig map[string]NetworkConfig // Network ID -> Network config localNetConfigMutex sync.Mutex -<<<<<<< HEAD - LocalACLConfig map[string]ACLConfig // Network ID -> ACL config -======= LocalEpConfig map[string]EndpointConfig // Endpoint ID -> Endpoint config localEpConfigMutex sync.Mutex LocalACLConfig map[string]ACLConfig // ACL ID -> ACL config ->>>>>>> upstream/govpp-pantheon-dev2 localACLConfigMutex sync.Mutex } @@ -617,33 +613,16 @@ func (d *VppDriver) AddPolicyRule(id string) error { } d.oper.localACLConfigMutex.Lock() -<<<<<<< HEAD - _, exists := d.oper.LocalACLConfig[id] - d.oper.localACLConfigMutex.Unlock() - if exists { - err = fmt.Errorf("Network id='%s' is already configured", id) -======= defer d.oper.localACLConfigMutex.Unlock() _, exists := d.oper.LocalACLConfig[id] if exists { err = fmt.Errorf("ACL id='%s' is already configured", id) ->>>>>>> upstream/govpp-pantheon-dev2 log.Error(err.Error()) return err } vppRule := &ruleCfg.OfnetPolicyRule aclcfg := ACLConfig{} -<<<<<<< HEAD - - // Action rule to be VPP specific - if vppRule.Action == "allow" { - aclcfg.acl = &vpp_acl.AccessLists_Acl{ - Rules: []*vpp_acl.AccessLists_Acl_Rule{ - { - Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_PERMIT, -======= var action *vpp_acl.AccessLists_Acl_Rule_Actions var matches *vpp_acl.AccessLists_Acl_Rule_Matches @@ -674,19 +653,10 @@ func (d *VppDriver) AddPolicyRule(id string) error { SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ LowerPort: uint32(vppRule.SrcPort), UpperPort: uint32(vppRule.SrcPort), ->>>>>>> upstream/govpp-pantheon-dev2 }, }, }, } -<<<<<<< HEAD - } else if vppRule.Action == "deny" { - aclcfg.acl = &vpp_acl.AccessLists_Acl{ - Rules: []*vpp_acl.AccessLists_Acl_Rule{ - { - Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_DENY, -======= } else if vppRule.IpProtocol == 17 { matches = &vpp_acl.AccessLists_Acl_Rule_Matches{ IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ @@ -702,82 +672,10 @@ func (d *VppDriver) AddPolicyRule(id string) error { SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ LowerPort: uint32(vppRule.SrcPort), UpperPort: uint32(vppRule.SrcPort), ->>>>>>> upstream/govpp-pantheon-dev2 }, }, }, } -<<<<<<< HEAD - } - - // // Src/DstNetwork choice based on protocol - // if vppRule.IpProtocol == 6 { - // aclcfg.acl = &vpp_acl.AccessLists_Acl{ - // Rules: []*vpp_acl.AccessLists_Acl_Rule{ - // { - // Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - // IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - // Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - // DestinationNetwork: vppRule.DstIpAddr, - // SourceNetwork: vppRule.SrcIpAddr, - // }, - // Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ - // DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ - // LowerPort: uint32(vppRule.DstPort), - // UpperPort: uint32(vppRule.DstPort), - // }, - // SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ - // LowerPort: uint32(vppRule.DstPort), - // UpperPort: uint32(vppRule.DstPort), - // }, - // }, - // }, - // }, - // }, - // }, - // } - // } else if vppRule.IpProtocol == 17 { - // aclcfg.acl = &vpp_acl.AccessLists_Acl{ - // Rules: []*vpp_acl.AccessLists_Acl_Rule{ - // { - // Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - // IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - // Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - // DestinationNetwork: vppRule.DstIpAddr, - // SourceNetwork: vppRule.SrcIpAddr, - // }, - // Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ - // DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ - // LowerPort: uint32(vppRule.DstPort), - // UpperPort: uint32(vppRule.DstPort), - // }, - // SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ - // LowerPort: uint32(vppRule.DstPort), - // UpperPort: uint32(vppRule.DstPort), - // }, - // }, - // }, - // }, - // }, - // }, - // } - // } else { - // aclcfg.acl = &vpp_acl.AccessLists_Acl{ - // Rules: []*vpp_acl.AccessLists_Acl_Rule{ - // { - // Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - // IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - // Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - // DestinationNetwork: vppRule.DstIpAddr, - // SourceNetwork: vppRule.SrcIpAddr, - // }, - // }, - // }, - // }, - // }, - // } - // } -======= } else { matches = &vpp_acl.AccessLists_Acl_Rule_Matches{ IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ @@ -799,7 +697,6 @@ func (d *VppDriver) AddPolicyRule(id string) error { }, }, } ->>>>>>> upstream/govpp-pantheon-dev2 log.Infof("ACL config: %v", aclcfg) @@ -815,13 +712,7 @@ func (d *VppDriver) AddPolicyRule(id string) error { } // Store the network configuration -<<<<<<< HEAD - d.oper.localACLConfigMutex.Lock() - d.oper.LocalACLConfig[id] = aclcfg - d.oper.localACLConfigMutex.Unlock() -======= d.oper.LocalACLConfig[id] = aclcfg ->>>>>>> upstream/govpp-pantheon-dev2 return nil } From 6b0918e26afce7ffe3350773cbc4dedf85c2feb4 Mon Sep 17 00:00:00 2001 From: Nikos Bregiannis Date: Mon, 21 Aug 2017 03:45:35 -0700 Subject: [PATCH 5/7] merge --- drivers/vppd/vppdriver.go | 142 +++++++++++++++++++++----------------- 1 file changed, 78 insertions(+), 64 deletions(-) diff --git a/drivers/vppd/vppdriver.go b/drivers/vppd/vppdriver.go index e20d3f44e..3b877d092 100644 --- a/drivers/vppd/vppdriver.go +++ b/drivers/vppd/vppdriver.go @@ -57,6 +57,11 @@ type ACLConfig struct { acl *vpp_acl.AccessLists_Acl // ACL } +// ACLConfig stores ACL configuration for a given network. +type ACLConfig struct { + acl *vpp_acl.AccessLists_Acl // ACL +} + // VppDriverOperState carries operational state of the VppDriver. type VppDriverOperState struct { core.CommonState @@ -65,9 +70,7 @@ type VppDriverOperState struct { // Acquire locks in the order as they are listed here to prevent from a potential deadlock! LocalNetConfig map[string]NetworkConfig // Network ID -> Network config localNetConfigMutex sync.Mutex - LocalEpConfig map[string]EndpointConfig // Endpoint ID -> Endpoint config - localEpConfigMutex sync.Mutex - LocalACLConfig map[string]ACLConfig // ACL ID -> ACL config + LocalACLConfig map[string]ACLConfig // Network ID -> ACL config localACLConfigMutex sync.Mutex } @@ -617,94 +620,103 @@ func (d *VppDriver) AddPolicyRule(id string) error { } d.oper.localACLConfigMutex.Lock() - defer d.oper.localACLConfigMutex.Unlock() _, exists := d.oper.LocalACLConfig[id] + d.oper.localACLConfigMutex.Unlock() if exists { - err = fmt.Errorf("ACL id='%s' is already configured", id) + err = fmt.Errorf("Network id='%s' is already configured", id) log.Error(err.Error()) return err } vppRule := &ruleCfg.OfnetPolicyRule - log.Infof("Add policy rule with id='%s' and config: %+v", id, vppRule) - aclcfg := ACLConfig{} - var action *vpp_acl.AccessLists_Acl_Rule_Actions - var matches *vpp_acl.AccessLists_Acl_Rule_Matches // Action rule to be VPP specific if vppRule.Action == "allow" { - action = &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_PERMIT, + aclcfg.acl = &vpp_acl.AccessLists_Acl{ + Rules: []*vpp_acl.AccessLists_Acl_Rule{}, } + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_PERMIT, + }, + }, + ) } else if vppRule.Action == "deny" { - action = &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_DENY, + aclcfg.acl = &vpp_acl.AccessLists_Acl{ + Rules: []*vpp_acl.AccessLists_Acl_Rule{}, } + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_DENY, + }, + }, + ) } // Src/DstNetwork choice based on protocol if vppRule.IpProtocol == 6 { - matches = &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, - }, - Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ - DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ - LowerPort: uint32(vppRule.SrcPort), - UpperPort: uint32(vppRule.SrcPort), + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ + DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + }, }, }, }, - } + ) } else if vppRule.IpProtocol == 17 { - matches = &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, - }, - Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ - DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ - LowerPort: uint32(vppRule.SrcPort), - UpperPort: uint32(vppRule.SrcPort), + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ + DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + }, }, }, - }, - } + }) } else { - matches = &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, + aclcfg.acl.Rules = append(aclcfg.acl.Rules, + &vpp_acl.AccessLists_Acl_Rule{ + Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + }, }, }, - } - } - - aclcfg.acl = &vpp_acl.AccessLists_Acl{ - AclName: "acl-" + id, - Rules: []*vpp_acl.AccessLists_Acl_Rule{ - { - RuleName: vppRule.RuleId, - Actions: action, - Matches: matches, - }, - }, + ) } - - log.Info("ACL config: ", aclcfg) + log.Infof("ACL config: %v", aclcfg) err = localclient.DataChangeRequest(vppDriverID). Put(). @@ -713,12 +725,14 @@ func (d *VppDriver) AddPolicyRule(id string) error { ReceiveReply() if err != nil { - log.Errorf("Failed to create policy rule id='%s', Err: %v", id, err) + log.Errorf("Failed to create network id='%s', Err: %v", id, err) return err } // Store the network configuration + d.oper.localACLConfigMutex.Lock() d.oper.LocalACLConfig[id] = aclcfg + d.oper.localACLConfigMutex.Unlock() return nil } From d3f1031dda14f9665a7e721209dd7f5ddc5f9544 Mon Sep 17 00:00:00 2001 From: Nikos Bregiannis Date: Mon, 21 Aug 2017 03:49:26 -0700 Subject: [PATCH 6/7] [vppd] Implemented addPolicy Rule --- drivers/vppd/vppdriver.go | 259 ++++++++++++++----------- netmaster/mastercfg/policyRuleState.go | 4 +- netmaster/mastercfg/policyState.go | 4 +- 3 files changed, 146 insertions(+), 121 deletions(-) diff --git a/drivers/vppd/vppdriver.go b/drivers/vppd/vppdriver.go index 3b877d092..1c82011c2 100644 --- a/drivers/vppd/vppdriver.go +++ b/drivers/vppd/vppdriver.go @@ -20,17 +20,18 @@ import ( "fmt" "hash/fnv" "os" + "strconv" "sync" "time" "github.com/contiv/netplugin/core" "github.com/contiv/netplugin/drivers" "github.com/contiv/netplugin/netmaster/mastercfg" + "github.com/contiv/ofnet" + agent_core "github.com/ligato/cn-infra/core" "github.com/ligato/cn-infra/logging" log "github.com/ligato/cn-infra/logging/logrus" - - agent_core "github.com/ligato/cn-infra/core" "github.com/ligato/vpp-agent/clientv1/linux/localclient" "github.com/ligato/vpp-agent/flavours/linuxlocal" vpp_acl "github.com/ligato/vpp-agent/plugins/defaultplugins/aclplugin/model/acl" @@ -57,11 +58,6 @@ type ACLConfig struct { acl *vpp_acl.AccessLists_Acl // ACL } -// ACLConfig stores ACL configuration for a given network. -type ACLConfig struct { - acl *vpp_acl.AccessLists_Acl // ACL -} - // VppDriverOperState carries operational state of the VppDriver. type VppDriverOperState struct { core.CommonState @@ -70,7 +66,9 @@ type VppDriverOperState struct { // Acquire locks in the order as they are listed here to prevent from a potential deadlock! LocalNetConfig map[string]NetworkConfig // Network ID -> Network config localNetConfigMutex sync.Mutex - LocalACLConfig map[string]ACLConfig // Network ID -> ACL config + LocalEpConfig map[string]EndpointConfig // Endpoint ID -> Endpoint config + localEpConfigMutex sync.Mutex + LocalACLConfig map[int][]*ofnet.OfnetPolicyRule // ACL ID -> ACL config localACLConfigMutex sync.Mutex } @@ -132,7 +130,7 @@ func (d *VppDriver) Init(info *core.InstanceInfo) error { d.oper.LocalNetConfig = make(map[string]NetworkConfig) d.oper.LocalEpConfig = make(map[string]EndpointConfig) - d.oper.LocalACLConfig = make(map[string]ACLConfig) + d.oper.LocalACLConfig = make(map[int][]*ofnet.OfnetPolicyRule) // write the oper err = d.oper.Write() @@ -157,7 +155,7 @@ func (d *VppDriver) Init(info *core.InstanceInfo) error { // make sure LocalACLConfig exist if d.oper.LocalACLConfig == nil { - d.oper.LocalACLConfig = make(map[string]ACLConfig) + d.oper.LocalACLConfig = make(map[int][]*ofnet.OfnetPolicyRule) rewriteOper = true } @@ -371,11 +369,28 @@ func (d *VppDriver) CreateEndpoint(id string) error { VppInterface(epcfg.afpacket). Send(). ReceiveReply() + if err != nil { netcfg.bd.Interfaces = origBfIfs log.Errorf("Failed to create endpoint id='%s', Err: %v", id, err) return err } + + // Apply policy if any at the endpoint + d.oper.localACLConfigMutex.Lock() + defer d.oper.localACLConfigMutex.Unlock() + rule, epPolicyCfgExists := d.oper.LocalACLConfig[cfgEp.EndpointGroupID] + if !epPolicyCfgExists { + log.Infof("No policy currently applied to the interface") + } else { + // Add policy to endpoint if exists + err = addEndpointACL(rule, cfgEp.EndpointGroupID, afPacketName) + if err != nil { + log.Errorf("Failed to create endpoint id='%s', Err: %v", id, err) + return err + } + } + // Store the endpoint configuration d.oper.localEpConfigMutex.Lock() defer d.oper.localEpConfigMutex.Unlock() @@ -405,6 +420,7 @@ func (d *VppDriver) CreateEndpoint(id string) error { operEp.Clear() } }() + return nil } @@ -619,120 +635,20 @@ func (d *VppDriver) AddPolicyRule(id string) error { return err } - d.oper.localACLConfigMutex.Lock() - _, exists := d.oper.LocalACLConfig[id] - d.oper.localACLConfigMutex.Unlock() - if exists { - err = fmt.Errorf("Network id='%s' is already configured", id) - log.Error(err.Error()) - return err - } - + log.Infof("EPGID = %d", ruleCfg.EndpointGroupID) + epgID := ruleCfg.EndpointGroupID vppRule := &ruleCfg.OfnetPolicyRule - aclcfg := ACLConfig{} - - // Action rule to be VPP specific - if vppRule.Action == "allow" { - aclcfg.acl = &vpp_acl.AccessLists_Acl{ - Rules: []*vpp_acl.AccessLists_Acl_Rule{}, - } - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_PERMIT, - }, - }, - ) - } else if vppRule.Action == "deny" { - aclcfg.acl = &vpp_acl.AccessLists_Acl{ - Rules: []*vpp_acl.AccessLists_Acl_Rule{}, - } - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Actions: &vpp_acl.AccessLists_Acl_Rule_Actions{ - AclAction: vpp_acl.AclAction_DENY, - }, - }, - ) - } - - // Src/DstNetwork choice based on protocol - if vppRule.IpProtocol == 6 { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, - }, - Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ - DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - }, - }, - }, - }, - ) - } else if vppRule.IpProtocol == 17 { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, - }, - Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ - DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ - LowerPort: uint32(vppRule.DstPort), - UpperPort: uint32(vppRule.DstPort), - }, - }, - }, - }, - }) - } else { - aclcfg.acl.Rules = append(aclcfg.acl.Rules, - &vpp_acl.AccessLists_Acl_Rule{ - Matches: &vpp_acl.AccessLists_Acl_Rule_Matches{ - IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ - Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ - DestinationNetwork: vppRule.DstIpAddr, - SourceNetwork: vppRule.SrcIpAddr, - }, - }, - }, - }, - ) - } - log.Infof("ACL config: %v", aclcfg) - - err = localclient.DataChangeRequest(vppDriverID). - Put(). - ACL(aclcfg.acl). - Send(). - ReceiveReply() + log.Infof("Add policy rule with id='%s' and config: %+v", id, vppRule) + // save local endpoint info + d.oper.localACLConfigMutex.Lock() + d.oper.LocalACLConfig[epgID] = append(d.oper.LocalACLConfig[epgID], vppRule) + d.oper.localACLConfigMutex.Unlock() + err = d.oper.Write() if err != nil { - log.Errorf("Failed to create network id='%s', Err: %v", id, err) return err } - // Store the network configuration - d.oper.localACLConfigMutex.Lock() - d.oper.LocalACLConfig[id] = aclcfg - d.oper.localACLConfigMutex.Unlock() return nil } @@ -765,3 +681,110 @@ func genNetworkVNI(netID string) uint32 { } return vni } + +func addEndpointACL(rule []*ofnet.OfnetPolicyRule, epGroupID int, afPacketName string) error { + aclcfg := ACLConfig{} + var action *vpp_acl.AccessLists_Acl_Rule_Actions + var matches *vpp_acl.AccessLists_Acl_Rule_Matches + var interfaces *vpp_acl.AccessLists_Acl_Interfaces + + for _, vppRule := range rule { + ruleID := vppRule.RuleId + epPolicyIf := []string{afPacketName} + + if ruleID[len(ruleID)-2:] == "Rx" { + interfaces = &vpp_acl.AccessLists_Acl_Interfaces{ + Egress: epPolicyIf, + } + } else { + interfaces = &vpp_acl.AccessLists_Acl_Interfaces{ + Ingress: epPolicyIf, + } + } + + // Action rule to be VPP specific + if vppRule.Action == "allow" { + action = &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_PERMIT, + } + } else if vppRule.Action == "deny" { + action = &vpp_acl.AccessLists_Acl_Rule_Actions{ + AclAction: vpp_acl.AclAction_DENY, + } + } + + // Src/DstNetwork choice based on protocol + if vppRule.IpProtocol == 6 { + matches = &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + Tcp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp{ + DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_DestinationPortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Tcp_SourcePortRange{ + LowerPort: uint32(vppRule.SrcPort), + UpperPort: uint32(vppRule.SrcPort), + }, + }, + }, + } + } else if vppRule.IpProtocol == 17 { + matches = &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + Udp: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp{ + DestinationPortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_DestinationPortRange{ + LowerPort: uint32(vppRule.DstPort), + UpperPort: uint32(vppRule.DstPort), + }, + SourcePortRange: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Udp_SourcePortRange{ + LowerPort: uint32(vppRule.SrcPort), + UpperPort: uint32(vppRule.SrcPort), + }, + }, + }, + } + } else { + matches = &vpp_acl.AccessLists_Acl_Rule_Matches{ + IpRule: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule{ + Ip: &vpp_acl.AccessLists_Acl_Rule_Matches_IpRule_Ip{ + DestinationNetwork: vppRule.DstIpAddr, + SourceNetwork: vppRule.SrcIpAddr, + }, + }, + } + } + + aclcfg.acl = &vpp_acl.AccessLists_Acl{ + AclName: "acl-" + vppRule.RuleId[0:6] + "-epg-" + strconv.Itoa(epGroupID), + Rules: []*vpp_acl.AccessLists_Acl_Rule{ + { + RuleName: vppRule.RuleId, + Actions: action, + Matches: matches, + }, + }, + Interfaces: interfaces, + } + + err := localclient.DataChangeRequest(vppDriverID). + Put(). + ACL(aclcfg.acl). + Send(). + ReceiveReply() + + if err != nil { + log.Errorf("Failed to create policy rule id='%s', Err: %v", vppRule.RuleId, err) + return err + } + } + return nil +} diff --git a/netmaster/mastercfg/policyRuleState.go b/netmaster/mastercfg/policyRuleState.go index 0479f076a..2501391f2 100755 --- a/netmaster/mastercfg/policyRuleState.go +++ b/netmaster/mastercfg/policyRuleState.go @@ -32,6 +32,7 @@ const ( type CfgPolicyRule struct { core.CommonState ofnet.OfnetPolicyRule + EndpointGroupID int // Endpoint group where this policy is attached to } // Write the state. @@ -64,10 +65,11 @@ func (s *CfgPolicyRule) Clear() error { } // addPolicyRuleState adds policy rule to state store -func addPolicyRuleState(ofnetRule *ofnet.OfnetPolicyRule) error { +func addPolicyRuleState(ofnetRule *ofnet.OfnetPolicyRule, epgID int) error { ruleCfg := &CfgPolicyRule{} ruleCfg.StateDriver = stateStore ruleCfg.OfnetPolicyRule = (*ofnetRule) + ruleCfg.EndpointGroupID = epgID // Save the rule return ruleCfg.Write() diff --git a/netmaster/mastercfg/policyState.go b/netmaster/mastercfg/policyState.go index 495b04442..7161e9178 100644 --- a/netmaster/mastercfg/policyState.go +++ b/netmaster/mastercfg/policyState.go @@ -294,7 +294,7 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet // } // Send AddRule to netplugin agents - err = addPolicyRuleState(ofnetRule) + err = addPolicyRuleState(ofnetRule, gp.EndpointGroupID) if err != nil { log.Errorf("Error creating rule {%+v}. Err: %v", ofnetRule, err) return nil, err @@ -380,7 +380,7 @@ func (gp *EpgPolicy) DelRule(rule *contivModel.Rule) error { // } // Send DelRule to netplugin agents - err = delPolicyRuleState(ofnetRule) + err := delPolicyRuleState(ofnetRule) if err != nil { log.Errorf("Error deleting the ofnet rule {%+v}. Err: %v", ofnetRule, err) } From a85e295e1363a812c12870b316cb60d9000b708d Mon Sep 17 00:00:00 2001 From: Nikos Bregiannis Date: Mon, 21 Aug 2017 04:46:21 -0700 Subject: [PATCH 7/7] [vppd] fixed acl naming --- drivers/vppd/vppdriver.go | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/drivers/vppd/vppdriver.go b/drivers/vppd/vppdriver.go index ab5d927be..5cd0d8302 100644 --- a/drivers/vppd/vppdriver.go +++ b/drivers/vppd/vppdriver.go @@ -58,11 +58,6 @@ type ACLConfig struct { acl *vpp_acl.AccessLists_Acl // ACL } -// ACLConfig stores ACL configuration for a given network. -type ACLConfig struct { - acl *vpp_acl.AccessLists_Acl // ACL -} - // VppDriverOperState carries operational state of the VppDriver. type VppDriverOperState struct { core.CommonState @@ -693,7 +688,7 @@ func addEndpointACL(rule []*ofnet.OfnetPolicyRule, epGroupID int, afPacketName s var matches *vpp_acl.AccessLists_Acl_Rule_Matches var interfaces *vpp_acl.AccessLists_Acl_Interfaces - for _, vppRule := range rule { + for id, vppRule := range rule { ruleID := vppRule.RuleId epPolicyIf := []string{afPacketName} @@ -769,10 +764,10 @@ func addEndpointACL(rule []*ofnet.OfnetPolicyRule, epGroupID int, afPacketName s } aclcfg.acl = &vpp_acl.AccessLists_Acl{ - AclName: "acl-" + vppRule.RuleId[0:6] + "-epg-" + strconv.Itoa(epGroupID), + AclName: "acl-" + vppRule.RuleId[0:7] + "-id-" + strconv.Itoa(id) + afPacketName + "-" + ruleID[len(ruleID)-2:], Rules: []*vpp_acl.AccessLists_Acl_Rule{ { - RuleName: vppRule.RuleId, + RuleName: vppRule.RuleId + strconv.Itoa(id), Actions: action, Matches: matches, },