[ONOS-6822] SONA : bug fix of ingress packets are always allowed without ingress allow security group rules.
- Only when security group is disabled, the 'security group table by-pass rule' is inserted now.
Change-Id: Ie01f561527675bdc2f52716023406c7fc9e36e3e
diff --git a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/api/OpenstackFlowRuleService.java b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/api/OpenstackFlowRuleService.java
index 4a89904..5fc9b2b 100644
--- a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/api/OpenstackFlowRuleService.java
+++ b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/api/OpenstackFlowRuleService.java
@@ -44,4 +44,21 @@
int priority,
int tableType,
boolean install);
+
+ /**
+ * Install table miss entry (drop rule) in the table.
+ *
+ * @param deviceId device ID
+ * @param table table number
+ */
+ void setUpTableMissEntry(DeviceId deviceId, int table);
+
+ /**
+ * Install a flor rule for transition from table A to table B.
+ *
+ * @param deviceId device Id
+ * @param fromTable table number of table A
+ * @param toTable table number of table B
+ */
+ void connectTables(DeviceId deviceId, int fromTable, int toTable);
}
diff --git a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackFlowRuleManager.java b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackFlowRuleManager.java
index 2e167d6..d4a8b68 100644
--- a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackFlowRuleManager.java
+++ b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackFlowRuleManager.java
@@ -148,7 +148,8 @@
setupJumpTable(deviceId);
}
- private void connectTables(DeviceId deviceId, int fromTable, int toTable) {
+ @Override
+ public void connectTables(DeviceId deviceId, int fromTable, int toTable) {
TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
TrafficTreatment.Builder treatment = DefaultTrafficTreatment.builder();
@@ -167,7 +168,8 @@
applyRule(flowRule, true);
}
- private void setUpTableMissEntry(DeviceId deviceId, int table) {
+ @Override
+ public void setUpTableMissEntry(DeviceId deviceId, int table) {
TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
TrafficTreatment.Builder treatment = DefaultTrafficTreatment.builder();
diff --git a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
index 582503a..690fc6c 100644
--- a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
+++ b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
@@ -51,6 +51,8 @@
import org.onosproject.openstacknetworking.api.OpenstackSecurityGroupEvent;
import org.onosproject.openstacknetworking.api.OpenstackSecurityGroupListener;
import org.onosproject.openstacknetworking.api.OpenstackSecurityGroupService;
+import org.onosproject.openstacknode.api.OpenstackNode;
+import org.onosproject.openstacknode.api.OpenstackNodeService;
import org.openstack4j.model.network.Port;
import org.openstack4j.model.network.SecurityGroup;
import org.openstack4j.model.network.SecurityGroupRule;
@@ -69,6 +71,7 @@
import static java.util.concurrent.Executors.newSingleThreadExecutor;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.openstacknetworking.api.Constants.ACL_TABLE;
+import static org.onosproject.openstacknetworking.api.Constants.JUMP_TABLE;
import static org.onosproject.openstacknetworking.api.Constants.OPENSTACK_NETWORKING_APP_ID;
import static org.onosproject.openstacknetworking.api.Constants.PRIORITY_ACL_RULE;
import static org.slf4j.LoggerFactory.getLogger;
@@ -108,6 +111,9 @@
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected ComponentConfigService configService;
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected OpenstackNodeService osNodeService;
+
private final InstancePortListener instancePortListener = new InternalInstancePortListener();
private final OpenstackNetworkListener portListener = new InternalOpenstackPortListener();
private final OpenstackSecurityGroupListener securityGroupListener = new InternalSecurityGroupListener();
@@ -209,7 +215,7 @@
osFlowRuleService.setRule(appId,
instPort.deviceId(),
selector,
- DefaultTrafficTreatment.builder().build(),
+ DefaultTrafficTreatment.builder().transition(JUMP_TABLE).build(),
PRIORITY_ACL_RULE,
ACL_TABLE,
install);
@@ -362,9 +368,13 @@
private void resetSecurityGroupRules() {
if (useSecurityGroup) {
+ osNodeService.completeNodes(OpenstackNode.NodeType.COMPUTE)
+ .forEach(node -> osFlowRuleService.setUpTableMissEntry(node.intgBridge(), ACL_TABLE));
securityGroupService.securityGroups().forEach(securityGroup ->
securityGroup.getRules().forEach(this::securityGroupRuleAdded));
} else {
+ osNodeService.completeNodes(OpenstackNode.NodeType.COMPUTE)
+ .forEach(node -> osFlowRuleService.connectTables(node.intgBridge(), ACL_TABLE, JUMP_TABLE));
securityGroupService.securityGroups().forEach(securityGroup ->
securityGroup.getRules().forEach(this::securityGroupRuleRemoved));
}