[ONOS-6822] SONA : bug fix of ingress packets are always allowed without ingress allow security group rules.
- Only when security group is disabled, the 'security group table by-pass rule' is inserted now.
Change-Id: Ie01f561527675bdc2f52716023406c7fc9e36e3e
diff --git a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackFlowRuleManager.java b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackFlowRuleManager.java
index 2e167d6..d4a8b68 100644
--- a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackFlowRuleManager.java
+++ b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackFlowRuleManager.java
@@ -148,7 +148,8 @@
setupJumpTable(deviceId);
}
- private void connectTables(DeviceId deviceId, int fromTable, int toTable) {
+ @Override
+ public void connectTables(DeviceId deviceId, int fromTable, int toTable) {
TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
TrafficTreatment.Builder treatment = DefaultTrafficTreatment.builder();
@@ -167,7 +168,8 @@
applyRule(flowRule, true);
}
- private void setUpTableMissEntry(DeviceId deviceId, int table) {
+ @Override
+ public void setUpTableMissEntry(DeviceId deviceId, int table) {
TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
TrafficTreatment.Builder treatment = DefaultTrafficTreatment.builder();
diff --git a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
index 582503a..690fc6c 100644
--- a/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
+++ b/apps/openstacknetworking/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
@@ -51,6 +51,8 @@
import org.onosproject.openstacknetworking.api.OpenstackSecurityGroupEvent;
import org.onosproject.openstacknetworking.api.OpenstackSecurityGroupListener;
import org.onosproject.openstacknetworking.api.OpenstackSecurityGroupService;
+import org.onosproject.openstacknode.api.OpenstackNode;
+import org.onosproject.openstacknode.api.OpenstackNodeService;
import org.openstack4j.model.network.Port;
import org.openstack4j.model.network.SecurityGroup;
import org.openstack4j.model.network.SecurityGroupRule;
@@ -69,6 +71,7 @@
import static java.util.concurrent.Executors.newSingleThreadExecutor;
import static org.onlab.util.Tools.groupedThreads;
import static org.onosproject.openstacknetworking.api.Constants.ACL_TABLE;
+import static org.onosproject.openstacknetworking.api.Constants.JUMP_TABLE;
import static org.onosproject.openstacknetworking.api.Constants.OPENSTACK_NETWORKING_APP_ID;
import static org.onosproject.openstacknetworking.api.Constants.PRIORITY_ACL_RULE;
import static org.slf4j.LoggerFactory.getLogger;
@@ -108,6 +111,9 @@
@Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
protected ComponentConfigService configService;
+ @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+ protected OpenstackNodeService osNodeService;
+
private final InstancePortListener instancePortListener = new InternalInstancePortListener();
private final OpenstackNetworkListener portListener = new InternalOpenstackPortListener();
private final OpenstackSecurityGroupListener securityGroupListener = new InternalSecurityGroupListener();
@@ -209,7 +215,7 @@
osFlowRuleService.setRule(appId,
instPort.deviceId(),
selector,
- DefaultTrafficTreatment.builder().build(),
+ DefaultTrafficTreatment.builder().transition(JUMP_TABLE).build(),
PRIORITY_ACL_RULE,
ACL_TABLE,
install);
@@ -362,9 +368,13 @@
private void resetSecurityGroupRules() {
if (useSecurityGroup) {
+ osNodeService.completeNodes(OpenstackNode.NodeType.COMPUTE)
+ .forEach(node -> osFlowRuleService.setUpTableMissEntry(node.intgBridge(), ACL_TABLE));
securityGroupService.securityGroups().forEach(securityGroup ->
securityGroup.getRules().forEach(this::securityGroupRuleAdded));
} else {
+ osNodeService.completeNodes(OpenstackNode.NodeType.COMPUTE)
+ .forEach(node -> osFlowRuleService.connectTables(node.intgBridge(), ACL_TABLE, JUMP_TABLE));
securityGroupService.securityGroups().forEach(securityGroup ->
securityGroup.getRules().forEach(this::securityGroupRuleRemoved));
}