diff options
Diffstat (limited to 'framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl')
3 files changed, 0 insertions, 609 deletions
diff --git a/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/AclManager.java b/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/AclManager.java deleted file mode 100644 index 638f0799..00000000 --- a/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/AclManager.java +++ /dev/null @@ -1,338 +0,0 @@ -/* - * Copyright 2015 Open Networking Laboratory - * Originally created by Pengfei Lu, Network and Cloud Computing Laboratory, Dalian University of Technology, China - * Advisers: Keqiu Li, Heng Qi and Haisheng Yu - * This work is supported by the State Key Program of National Natural Science of China(Grant No. 61432002) - * and Prospective Research Project on Future Networks in Jiangsu Future Networks Innovation Institute. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.onosproject.acl.impl; - -import org.onlab.packet.Ethernet; -import org.onlab.packet.IPv4; -import org.onlab.packet.Ip4Address; -import org.onlab.packet.Ip4Prefix; -import org.onlab.packet.IpAddress; -import org.onlab.packet.TpPort; -import org.onosproject.acl.AclRule; -import org.onosproject.acl.AclService; -import org.onosproject.acl.AclStore; -import org.apache.felix.scr.annotations.Activate; -import org.apache.felix.scr.annotations.Component; -import org.apache.felix.scr.annotations.Deactivate; -import org.apache.felix.scr.annotations.Reference; -import org.apache.felix.scr.annotations.ReferenceCardinality; -import org.apache.felix.scr.annotations.Service; -import org.onosproject.acl.RuleId; -import org.onosproject.core.ApplicationId; -import org.onosproject.core.CoreService; -import org.onosproject.core.IdGenerator; -import org.onosproject.mastership.MastershipService; -import org.onosproject.net.DeviceId; -import org.onosproject.net.Host; -import org.onosproject.net.MastershipRole; -import org.onosproject.net.PortNumber; -import org.onosproject.net.flow.DefaultFlowEntry; -import org.onosproject.net.flow.DefaultTrafficSelector; -import org.onosproject.net.flow.DefaultTrafficTreatment; -import org.onosproject.net.flow.FlowEntry; -import org.onosproject.net.flow.FlowRule; -import org.onosproject.net.flow.FlowRuleService; -import org.onosproject.net.flow.TrafficSelector; -import org.onosproject.net.flow.TrafficTreatment; -import org.onosproject.net.flow.instructions.Instructions; -import org.onosproject.net.host.HostEvent; -import org.onosproject.net.host.HostListener; -import org.onosproject.net.host.HostService; -import org.slf4j.Logger; - -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import static org.slf4j.LoggerFactory.getLogger; - -/** - * Implementation of the ACL service. - */ -@Component(immediate = true) -@Service -public class AclManager implements AclService { - - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) - protected CoreService coreService; - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) - protected FlowRuleService flowRuleService; - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) - protected HostService hostService; - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) - protected MastershipService mastershipService; - - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) - protected AclStore aclStore; - - private final Logger log = getLogger(getClass()); - private ApplicationId appId; - private final HostListener hostListener = new InternalHostListener(); - private IdGenerator idGenerator; - - /** - * Checks if the given IP address is in the given CIDR address. - */ - private boolean checkIpInCidr(Ip4Address ip, Ip4Prefix cidr) { - int offset = 32 - cidr.prefixLength(); - int cidrPrefix = cidr.address().toInt(); - int ipIntValue = ip.toInt(); - cidrPrefix = cidrPrefix >> offset; - ipIntValue = ipIntValue >> offset; - cidrPrefix = cidrPrefix << offset; - ipIntValue = ipIntValue << offset; - - return (cidrPrefix == ipIntValue); - } - - private class InternalHostListener implements HostListener { - - /** - * Generate new ACL flow rules for new host following the given ACL rule. - */ - private void processHostAddedEvent(HostEvent event, AclRule rule) { - DeviceId deviceId = event.subject().location().deviceId(); - for (IpAddress address : event.subject().ipAddresses()) { - if ((rule.srcIp() != null) ? - (checkIpInCidr(address.getIp4Address(), rule.srcIp())) : - (checkIpInCidr(address.getIp4Address(), rule.dstIp()))) { - if (!aclStore.checkIfRuleWorksInDevice(rule.id(), deviceId)) { - List<RuleId> allowingRuleList = aclStore - .getAllowingRuleByDenyingRule(rule.id()); - if (allowingRuleList != null) { - for (RuleId allowingRuleId : allowingRuleList) { - generateAclFlow(aclStore.getAclRule(allowingRuleId), deviceId); - } - } - generateAclFlow(rule, deviceId); - } - } - } - } - - @Override - public void event(HostEvent event) { - // if a new host appears and an existing rule denies - // its traffic, a new ACL flow rule is generated. - if (event.type() == HostEvent.Type.HOST_ADDED) { - DeviceId deviceId = event.subject().location().deviceId(); - if (mastershipService.getLocalRole(deviceId) == MastershipRole.MASTER) { - for (AclRule rule : aclStore.getAclRules()) { - if (rule.action() != AclRule.Action.ALLOW) { - processHostAddedEvent(event, rule); - } - } - } - } - } - } - - @Activate - public void activate() { - appId = coreService.registerApplication("org.onos.acl"); - hostService.addListener(hostListener); - idGenerator = coreService.getIdGenerator("acl-ids"); - AclRule.bindIdGenerator(idGenerator); - log.info("Started"); - } - - @Deactivate - public void deactivate() { - hostService.removeListener(hostListener); - flowRuleService.removeFlowRulesById(appId); - aclStore.clearAcl(); - log.info("Stopped"); - } - - @Override - public List<AclRule> getAclRules() { - return aclStore.getAclRules(); - } - - /** - * Checks if the new ACL rule matches an existing rule. - * If existing allowing rules matches the new denying rule, store the mappings. - * - * @return true if the new ACL rule matches an existing rule, false otherwise - */ - private boolean matchCheck(AclRule newRule) { - for (AclRule existingRule : aclStore.getAclRules()) { - if (newRule.checkMatch(existingRule)) { - return true; - } - - if (existingRule.action() == AclRule.Action.ALLOW - && newRule.action() == AclRule.Action.DENY) { - if (existingRule.checkMatch(newRule)) { - aclStore.addDenyToAllowMapping(newRule.id(), existingRule.id()); - } - } - } - return false; - } - - @Override - public boolean addAclRule(AclRule rule) { - if (matchCheck(rule)) { - return false; - } - aclStore.addAclRule(rule); - log.info("ACL rule(id:{}) is added.", rule.id()); - if (rule.action() != AclRule.Action.ALLOW) { - enforceRuleAdding(rule); - } - return true; - } - - /** - * Gets a set containing all devices connecting with the hosts - * whose IP address is in the given CIDR IP address. - */ - private Set<DeviceId> getDeviceIdSet(Ip4Prefix cidrAddr) { - Set<DeviceId> deviceIdSet = new HashSet<>(); - final Iterable<Host> hosts = hostService.getHosts(); - - if (cidrAddr.prefixLength() != 32) { - for (Host h : hosts) { - for (IpAddress a : h.ipAddresses()) { - if (checkIpInCidr(a.getIp4Address(), cidrAddr)) { - deviceIdSet.add(h.location().deviceId()); - } - } - } - } else { - for (Host h : hosts) { - for (IpAddress a : h.ipAddresses()) { - if (checkIpInCidr(a.getIp4Address(), cidrAddr)) { - deviceIdSet.add(h.location().deviceId()); - return deviceIdSet; - } - } - } - } - return deviceIdSet; - } - - /** - * Enforces denying ACL rule by ACL flow rules. - */ - private void enforceRuleAdding(AclRule rule) { - Set<DeviceId> dpidSet; - if (rule.srcIp() != null) { - dpidSet = getDeviceIdSet(rule.srcIp()); - } else { - dpidSet = getDeviceIdSet(rule.dstIp()); - } - - for (DeviceId deviceId : dpidSet) { - List<RuleId> allowingRuleList = aclStore.getAllowingRuleByDenyingRule(rule.id()); - if (allowingRuleList != null) { - for (RuleId allowingRuleId : allowingRuleList) { - generateAclFlow(aclStore.getAclRule(allowingRuleId), deviceId); - } - } - generateAclFlow(rule, deviceId); - } - } - - /** - * Generates ACL flow rule according to ACL rule - * and install it into related device. - */ - private void generateAclFlow(AclRule rule, DeviceId deviceId) { - if (rule == null || aclStore.checkIfRuleWorksInDevice(rule.id(), deviceId)) { - return; - } - - TrafficSelector.Builder selectorBuilder = DefaultTrafficSelector.builder(); - TrafficTreatment.Builder treatment = DefaultTrafficTreatment.builder(); - FlowEntry.Builder flowEntry = DefaultFlowEntry.builder(); - - selectorBuilder.matchEthType(Ethernet.TYPE_IPV4); - if (rule.srcIp() != null) { - selectorBuilder.matchIPSrc(rule.srcIp()); - if (rule.dstIp() != null) { - selectorBuilder.matchIPDst(rule.dstIp()); - } - } else { - selectorBuilder.matchIPDst(rule.dstIp()); - } - if (rule.ipProto() != 0) { - selectorBuilder.matchIPProtocol(Integer.valueOf(rule.ipProto()).byteValue()); - } - if (rule.dstTpPort() != 0) { - switch (rule.ipProto()) { - case IPv4.PROTOCOL_TCP: - selectorBuilder.matchTcpDst(TpPort.tpPort(rule.dstTpPort())); - break; - case IPv4.PROTOCOL_UDP: - selectorBuilder.matchUdpDst(TpPort.tpPort(rule.dstTpPort())); - break; - default: - break; - } - } - if (rule.action() == AclRule.Action.ALLOW) { - treatment.add(Instructions.createOutput(PortNumber.CONTROLLER)); - } - flowEntry.forDevice(deviceId); - flowEntry.withPriority(aclStore.getPriorityByDevice(deviceId)); - flowEntry.withSelector(selectorBuilder.build()); - flowEntry.withTreatment(treatment.build()); - flowEntry.fromApp(appId); - flowEntry.makePermanent(); - // install flow rule - flowRuleService.applyFlowRules(flowEntry.build()); - log.debug("ACL flow rule {} is installed in {}.", flowEntry.build(), deviceId); - aclStore.addRuleToFlowMapping(rule.id(), flowEntry.build()); - aclStore.addRuleToDeviceMapping(rule.id(), deviceId); - } - - @Override - public void removeAclRule(RuleId ruleId) { - aclStore.removeAclRule(ruleId); - log.info("ACL rule(id:{}) is removed.", ruleId); - enforceRuleRemoving(ruleId); - } - - /** - * Enforces removing an existing ACL rule. - */ - private void enforceRuleRemoving(RuleId ruleId) { - Set<FlowRule> flowSet = aclStore.getFlowByRule(ruleId); - if (flowSet != null) { - for (FlowRule flowRule : flowSet) { - flowRuleService.removeFlowRules(flowRule); - log.debug("ACL flow rule {} is removed from {}.", flowRule.toString(), flowRule.deviceId().toString()); - } - } - aclStore.removeRuleToFlowMapping(ruleId); - aclStore.removeRuleToDeviceMapping(ruleId); - aclStore.removeDenyToAllowMapping(ruleId); - } - - @Override - public void clearAcl() { - aclStore.clearAcl(); - flowRuleService.removeFlowRulesById(appId); - log.info("ACL is cleared."); - } - -} diff --git a/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/DistributedAclStore.java b/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/DistributedAclStore.java deleted file mode 100644 index a5fcfcc7..00000000 --- a/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/DistributedAclStore.java +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright 2015 Open Networking Laboratory - * Originally created by Pengfei Lu, Network and Cloud Computing Laboratory, Dalian University of Technology, China - * Advisers: Keqiu Li, Heng Qi and Haisheng Yu - * This work is supported by the State Key Program of National Natural Science of China(Grant No. 61432002) - * and Prospective Research Project on Future Networks in Jiangsu Future Networks Innovation Institute. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.onosproject.acl.impl; - -import com.google.common.collect.Collections2; -import org.onosproject.acl.AclRule; -import org.onosproject.acl.AclStore; -import org.apache.felix.scr.annotations.Activate; -import org.apache.felix.scr.annotations.Component; -import org.apache.felix.scr.annotations.Deactivate; -import org.apache.felix.scr.annotations.Reference; -import org.apache.felix.scr.annotations.ReferenceCardinality; -import org.apache.felix.scr.annotations.Service; -import org.onlab.util.KryoNamespace; -import org.onosproject.acl.RuleId; -import org.onosproject.core.ApplicationId; -import org.onosproject.core.CoreService; -import org.onosproject.net.DeviceId; -import org.onosproject.net.flow.FlowRule; -import org.onosproject.store.AbstractStore; -import org.onosproject.store.serializers.KryoNamespaces; -import org.onosproject.store.service.ConsistentMap; -import org.onosproject.store.service.Serializer; -import org.onosproject.store.service.StorageService; -import org.onosproject.store.service.Versioned; -import org.slf4j.Logger; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import static org.slf4j.LoggerFactory.getLogger; - -/** - * Implementation of the ACL store service. - */ -@Component(immediate = true) -@Service -public class DistributedAclStore extends AbstractStore implements AclStore { - - private final Logger log = getLogger(getClass()); - private final int defaultFlowMaxPriority = 30000; - - private ConsistentMap<RuleId, AclRule> ruleSet; - private ConsistentMap<DeviceId, Integer> deviceToPriority; - private ConsistentMap<RuleId, Set<DeviceId>> ruleToDevice; - private ConsistentMap<RuleId, Set<FlowRule>> ruleToFlow; - private ConsistentMap<RuleId, List<RuleId>> denyRuleToAllowRule; - - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) - protected StorageService storageService; - @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY) - protected CoreService coreService; - - @Activate - public void activate() { - ApplicationId appId = coreService.getAppId("org.onosproject.acl"); - - KryoNamespace.Builder serializer = KryoNamespace.newBuilder() - .register(KryoNamespaces.API) - .register(AclRule.class) - .register(AclRule.Action.class) - .register(RuleId.class); - - ruleSet = storageService.<RuleId, AclRule>consistentMapBuilder() - .withSerializer(Serializer.using(serializer.build())) - .withName("acl-rule-set") - .withApplicationId(appId) - .withPurgeOnUninstall() - .build(); - - deviceToPriority = storageService.<DeviceId, Integer>consistentMapBuilder() - .withSerializer(Serializer.using(serializer.build())) - .withName("device-to-priority") - .withApplicationId(appId) - .withPurgeOnUninstall() - .build(); - - ruleToFlow = storageService.<RuleId, Set<FlowRule>>consistentMapBuilder() - .withSerializer(Serializer.using(serializer.build())) - .withName("rule-to-flow") - .withApplicationId(appId) - .withPurgeOnUninstall() - .build(); - - denyRuleToAllowRule = storageService.<RuleId, List<RuleId>>consistentMapBuilder() - .withSerializer(Serializer.using(serializer.build())) - .withName("deny-to-allow") - .withApplicationId(appId) - .withPurgeOnUninstall() - .build(); - - ruleToDevice = storageService.<RuleId, Set<DeviceId>>consistentMapBuilder() - .withSerializer(Serializer.using(serializer.build())) - .withName("rule-to-device") - .withApplicationId(appId) - .withPurgeOnUninstall() - .build(); - - log.info("Started"); - } - - @Deactivate - public void deactive() { - log.info("Stopped"); - } - - @Override - public List<AclRule> getAclRules() { - List<AclRule> aclRules = new ArrayList<>(); - aclRules.addAll(Collections2.transform(ruleSet.values(), Versioned::value)); - return aclRules; - } - - @Override - public void addAclRule(AclRule rule) { - ruleSet.putIfAbsent(rule.id(), rule); - } - - @Override - public AclRule getAclRule(RuleId ruleId) { - Versioned<AclRule> rule = ruleSet.get(ruleId); - if (rule != null) { - return rule.value(); - } else { - return null; - } - } - - @Override - public void removeAclRule(RuleId ruleId) { - ruleSet.remove(ruleId); - } - - @Override - public void clearAcl() { - ruleSet.clear(); - deviceToPriority.clear(); - ruleToFlow.clear(); - denyRuleToAllowRule.clear(); - ruleToDevice.clear(); - } - - @Override - public int getPriorityByDevice(DeviceId deviceId) { - return deviceToPriority.compute(deviceId, - (id, priority) -> (priority == null) ? defaultFlowMaxPriority : (priority - 1)) - .value(); - } - - @Override - public Set<FlowRule> getFlowByRule(RuleId ruleId) { - Versioned<Set<FlowRule>> flowRuleSet = ruleToFlow.get(ruleId); - if (flowRuleSet != null) { - return flowRuleSet.value(); - } else { - return null; - } - } - - @Override - public void addRuleToFlowMapping(RuleId ruleId, FlowRule flowRule) { - ruleToFlow.computeIf(ruleId, - flowRuleSet -> (flowRuleSet == null || !flowRuleSet.contains(flowRule)), - (id, flowRuleSet) -> { - Set<FlowRule> newSet = new HashSet<>(); - if (flowRuleSet != null) { - newSet.addAll(flowRuleSet); - } - newSet.add(flowRule); - return newSet; - }); - } - - @Override - public void removeRuleToFlowMapping(RuleId ruleId) { - ruleToFlow.remove(ruleId); - } - - @Override - public List<RuleId> getAllowingRuleByDenyingRule(RuleId denyingRuleId) { - Versioned<List<RuleId>> allowRuleIdSet = denyRuleToAllowRule.get(denyingRuleId); - if (allowRuleIdSet != null) { - return allowRuleIdSet.value(); - } else { - return null; - } - } - - @Override - public void addDenyToAllowMapping(RuleId denyingRuleId, RuleId allowingRuleId) { - denyRuleToAllowRule.computeIf(denyingRuleId, - ruleIdList -> (ruleIdList == null || !ruleIdList.contains(allowingRuleId)), - (id, ruleIdList) -> { - ArrayList<RuleId> newList = new ArrayList<>(); - if (ruleIdList != null) { - newList.addAll(ruleIdList); - } - newList.add(allowingRuleId); - return newList; - }); - } - - @Override - public void removeDenyToAllowMapping(RuleId denyingRuleId) { - denyRuleToAllowRule.remove(denyingRuleId); - } - - @Override - public boolean checkIfRuleWorksInDevice(RuleId ruleId, DeviceId deviceId) { - return ruleToDevice.containsKey(ruleId) && ruleToDevice.get(ruleId).value().contains(deviceId); - } - - @Override - public void addRuleToDeviceMapping(RuleId ruleId, DeviceId deviceId) { - ruleToDevice.computeIf(ruleId, - deviceIdSet -> (deviceIdSet == null || !deviceIdSet.contains(deviceId)), - (id, deviceIdSet) -> { - Set<DeviceId> newSet = new HashSet<>(); - if (deviceIdSet != null) { - newSet.addAll(deviceIdSet); - } - newSet.add(deviceId); - return newSet; - }); - } - - @Override - public void removeRuleToDeviceMapping(RuleId ruleId) { - ruleToDevice.remove(ruleId); - } - -} diff --git a/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/package-info.java b/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/package-info.java deleted file mode 100644 index 9da9b3b7..00000000 --- a/framework/src/onos/apps/acl/src/main/java/org/onosproject/acl/impl/package-info.java +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright 2015 Open Networking Laboratory - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/** - * ACL application implementation. - */ -package org.onosproject.acl.impl; |