commit 81ab23b3eb4c925aabd09bc714eec5ca5a916635
author Hyunsun Moon <hyunsun.moon@gmail.com> Mon Feb 01 23:00:56 2016 -0800
committer Gerrit Code Review <gerrit@onlab.us> Tue Feb 02 15:55:47 2016 +0000
tree b3a966e7252b276dfddd622fee41673356929bf8
parent 9186613c0fd79c85c62473efdd2fe2326f7a53a5

Added drop rules to prevent packets for virtual networks go out
through the physical network

Change-Id: I84dddb0c7ca4764c00566c29c163badc8d5c538f

apps/cordvtn/src/main/java/org/onosproject/cordvtn/CordVtnRuleInstaller.java

diff --git a/apps/cordvtn/src/main/java/org/onosproject/cordvtn/CordVtnRuleInstaller.java b/apps/cordvtn/src/main/java/org/onosproject/cordvtn/CordVtnRuleInstaller.java
index b2451d4..7fb8574 100644
--- a/apps/cordvtn/src/main/java/org/onosproject/cordvtn/CordVtnRuleInstaller.java
+++ b/apps/cordvtn/src/main/java/org/onosproject/cordvtn/CordVtnRuleInstaller.java
@@ -196,6 +196,7 @@
 
         populateLocalInPortRule(deviceId, inPort, hostIp);
         populateDirectAccessRule(Ip4Prefix.valueOf(subnet.cidr()), Ip4Prefix.valueOf(subnet.cidr()));
+        populateServiceIsolationRule(Ip4Prefix.valueOf(subnet.cidr()));
         populateDstIpRule(deviceId, inPort, dstMac, hostIp, tunnelId, tunnelIp);
         populateTunnelInRule(deviceId, inPort, dstMac, tunnelId);
     }
@@ -785,6 +786,37 @@
                     .fromApp(appId)
                     .withSelector(selector)
                     .withTreatment(treatment)
+                    .withPriority(DEFAULT_PRIORITY)
+                    .forDevice(device.id())
+                    .forTable(TABLE_ACCESS_TYPE)
+                    .makePermanent()
+                    .build();
+
+            processFlowRule(true, flowRuleDirect);
+        }
+    }
+
+    /**
+     * Populates drop rules that does not match any direct access rules but has
+     * destination to a different service network in ACCESS_TYPE table.
+     *
+     * @param dstRange destination ip range
+     */
+    private void populateServiceIsolationRule(Ip4Prefix dstRange) {
+        TrafficSelector selector = DefaultTrafficSelector.builder()
+                .matchEthType(Ethernet.TYPE_IPV4)
+                .matchIPDst(dstRange)
+                .build();
+
+        TrafficTreatment treatment = DefaultTrafficTreatment.builder()
+                .drop()
+                .build();
+
+        for (Device device : deviceService.getAvailableDevices(SWITCH)) {
+            FlowRule flowRuleDirect = DefaultFlowRule.builder()
+                    .fromApp(appId)
+                    .withSelector(selector)
+                    .withTreatment(treatment)
                     .withPriority(LOW_PRIORITY)
                     .forDevice(device.id())
                     .forTable(TABLE_ACCESS_TYPE)
@@ -820,7 +852,7 @@
                     .fromApp(appId)
                     .withSelector(selector)
                     .withTreatment(treatment)
-                    .withPriority(DEFAULT_PRIORITY)
+                    .withPriority(HIGH_PRIORITY)
                     .forDevice(outGroup.getKey())
                     .forTable(TABLE_ACCESS_TYPE)
                     .makePermanent()