Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 1 | /* |
Brian O'Connor | 5ab426f | 2016-04-09 01:19:45 -0700 | [diff] [blame^] | 2 | * Copyright 2015-present Open Networking Laboratory |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 3 | * Originally created by Pengfei Lu, Network and Cloud Computing Laboratory, Dalian University of Technology, China |
Pengfei Lu | e53419b | 2015-08-29 10:11:02 +0800 | [diff] [blame] | 4 | * Advisers: Keqiu Li, Heng Qi and Haisheng Yu |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 5 | * This work is supported by the State Key Program of National Natural Science of China(Grant No. 61432002) |
| 6 | * and Prospective Research Project on Future Networks in Jiangsu Future Networks Innovation Institute. |
| 7 | * |
| 8 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 9 | * you may not use this file except in compliance with the License. |
| 10 | * You may obtain a copy of the License at |
| 11 | * |
| 12 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 13 | * |
| 14 | * Unless required by applicable law or agreed to in writing, software |
| 15 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 16 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 17 | * See the License for the specific language governing permissions and |
| 18 | * limitations under the License. |
| 19 | */ |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 20 | package org.onosproject.acl; |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 21 | |
| 22 | import com.google.common.base.MoreObjects; |
| 23 | import org.onlab.packet.IPv4; |
| 24 | import org.onlab.packet.Ip4Prefix; |
| 25 | import org.onosproject.core.IdGenerator; |
| 26 | |
| 27 | import java.util.Objects; |
| 28 | |
| 29 | import static com.google.common.base.Preconditions.checkNotNull; |
| 30 | import static com.google.common.base.Preconditions.checkState; |
| 31 | |
| 32 | /** |
| 33 | * ACL rule class. |
| 34 | */ |
| 35 | public final class AclRule { |
| 36 | |
| 37 | private final RuleId id; |
| 38 | |
| 39 | private final Ip4Prefix srcIp; |
| 40 | private final Ip4Prefix dstIp; |
| 41 | private final byte ipProto; |
| 42 | private final short dstTpPort; |
| 43 | private final Action action; |
| 44 | |
| 45 | private static IdGenerator idGenerator; |
| 46 | |
| 47 | /** |
| 48 | * Enum type for ACL rule's action. |
| 49 | */ |
| 50 | public enum Action { |
| 51 | DENY, ALLOW |
| 52 | } |
| 53 | |
| 54 | /** |
| 55 | * Constructor for serializer. |
| 56 | */ |
| 57 | private AclRule() { |
| 58 | this.id = null; |
| 59 | this.srcIp = null; |
| 60 | this.dstIp = null; |
| 61 | this.ipProto = 0; |
| 62 | this.dstTpPort = 0; |
| 63 | this.action = null; |
| 64 | } |
| 65 | |
| 66 | /** |
| 67 | * Create a new ACL rule. |
| 68 | * |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 69 | * @param srcIp source IP address |
| 70 | * @param dstIp destination IP address |
| 71 | * @param ipProto IP protocol |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 72 | * @param dstTpPort destination transport layer port |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 73 | * @param action ACL rule's action |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 74 | */ |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 75 | private AclRule(Ip4Prefix srcIp, Ip4Prefix dstIp, byte ipProto, |
| 76 | short dstTpPort, Action action) { |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 77 | checkState(idGenerator != null, "Id generator is not bound."); |
| 78 | this.id = RuleId.valueOf(idGenerator.getNewId()); |
| 79 | this.srcIp = srcIp; |
| 80 | this.dstIp = dstIp; |
| 81 | this.ipProto = ipProto; |
| 82 | this.dstTpPort = dstTpPort; |
| 83 | this.action = action; |
| 84 | } |
| 85 | |
| 86 | /** |
| 87 | * Check if the first CIDR address is in (or the same as) the second CIDR address. |
| 88 | */ |
Jonathan Hart | d9df7bd | 2015-11-10 17:10:25 -0800 | [diff] [blame] | 89 | private boolean checkCidrInCidr(Ip4Prefix cidrAddr1, Ip4Prefix cidrAddr2) { |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 90 | if (cidrAddr2 == null) { |
| 91 | return true; |
| 92 | } else if (cidrAddr1 == null) { |
| 93 | return false; |
| 94 | } |
| 95 | if (cidrAddr1.prefixLength() < cidrAddr2.prefixLength()) { |
| 96 | return false; |
| 97 | } |
| 98 | int offset = 32 - cidrAddr2.prefixLength(); |
| 99 | |
| 100 | int cidr1Prefix = cidrAddr1.address().toInt(); |
| 101 | int cidr2Prefix = cidrAddr2.address().toInt(); |
| 102 | cidr1Prefix = cidr1Prefix >> offset; |
| 103 | cidr2Prefix = cidr2Prefix >> offset; |
| 104 | cidr1Prefix = cidr1Prefix << offset; |
| 105 | cidr2Prefix = cidr2Prefix << offset; |
| 106 | |
| 107 | return (cidr1Prefix == cidr2Prefix); |
| 108 | } |
| 109 | |
| 110 | /** |
| 111 | * Check if this ACL rule match the given ACL rule. |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 112 | * |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 113 | * @param r ACL rule to check against |
| 114 | * @return true if this ACL rule matches the given ACL ruleule. |
| 115 | */ |
| 116 | public boolean checkMatch(AclRule r) { |
| 117 | return (this.dstTpPort == r.dstTpPort || r.dstTpPort == 0) |
| 118 | && (this.ipProto == r.ipProto || r.ipProto == 0) |
Jonathan Hart | d9df7bd | 2015-11-10 17:10:25 -0800 | [diff] [blame] | 119 | && (checkCidrInCidr(this.srcIp(), r.srcIp())) |
| 120 | && (checkCidrInCidr(this.dstIp(), r.dstIp())); |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 121 | } |
| 122 | |
| 123 | /** |
| 124 | * Returns a new ACL rule builder. |
| 125 | * |
| 126 | * @return ACL rule builder |
| 127 | */ |
| 128 | public static Builder builder() { |
| 129 | return new Builder(); |
| 130 | } |
| 131 | |
| 132 | /** |
| 133 | * Builder of an ACL rule. |
| 134 | */ |
| 135 | public static final class Builder { |
| 136 | |
| 137 | private Ip4Prefix srcIp = null; |
| 138 | private Ip4Prefix dstIp = null; |
| 139 | private byte ipProto = 0; |
| 140 | private short dstTpPort = 0; |
| 141 | private Action action = Action.DENY; |
| 142 | |
| 143 | private Builder() { |
| 144 | // Hide constructor |
| 145 | } |
| 146 | |
| 147 | /** |
| 148 | * Sets the source IP address for the ACL rule that will be built. |
| 149 | * |
| 150 | * @param srcIp source IP address to use for built ACL rule |
| 151 | * @return this builder |
| 152 | */ |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 153 | public Builder srcIp(Ip4Prefix srcIp) { |
| 154 | this.srcIp = srcIp; |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 155 | return this; |
| 156 | } |
| 157 | |
| 158 | /** |
| 159 | * Sets the destination IP address for the ACL rule that will be built. |
| 160 | * |
| 161 | * @param dstIp destination IP address to use for built ACL rule |
| 162 | * @return this builder |
| 163 | */ |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 164 | public Builder dstIp(Ip4Prefix dstIp) { |
| 165 | this.dstIp = dstIp; |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 166 | return this; |
| 167 | } |
| 168 | |
| 169 | /** |
| 170 | * Sets the IP protocol for the ACL rule that will be built. |
| 171 | * |
| 172 | * @param ipProto IP protocol to use for built ACL rule |
| 173 | * @return this builder |
| 174 | */ |
| 175 | public Builder ipProto(byte ipProto) { |
| 176 | this.ipProto = ipProto; |
| 177 | return this; |
| 178 | } |
| 179 | |
| 180 | /** |
| 181 | * Sets the destination transport layer port for the ACL rule that will be built. |
| 182 | * |
| 183 | * @param dstTpPort destination transport layer port to use for built ACL rule |
| 184 | * @return this builder |
| 185 | */ |
| 186 | public Builder dstTpPort(short dstTpPort) { |
| 187 | if ((ipProto == IPv4.PROTOCOL_TCP || ipProto == IPv4.PROTOCOL_UDP)) { |
| 188 | this.dstTpPort = dstTpPort; |
| 189 | } |
| 190 | return this; |
| 191 | } |
| 192 | |
| 193 | /** |
| 194 | * Sets the action for the ACL rule that will be built. |
| 195 | * |
| 196 | * @param action action to use for built ACL rule |
| 197 | * @return this builder |
| 198 | */ |
| 199 | public Builder action(Action action) { |
| 200 | this.action = action; |
| 201 | return this; |
| 202 | } |
| 203 | |
| 204 | /** |
| 205 | * Builds an ACL rule from the accumulated parameters. |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 206 | * |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 207 | * @return ACL rule instance |
| 208 | */ |
| 209 | public AclRule build() { |
| 210 | checkState(srcIp != null && dstIp != null, "Either srcIp or dstIp must be assigned."); |
| 211 | checkState(ipProto == 0 || ipProto == IPv4.PROTOCOL_ICMP |
| 212 | || ipProto == IPv4.PROTOCOL_TCP || ipProto == IPv4.PROTOCOL_UDP, |
| 213 | "ipProto must be assigned to TCP, UDP, or ICMP."); |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 214 | return new AclRule(srcIp, dstIp, ipProto, dstTpPort, action); |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 215 | } |
| 216 | |
| 217 | } |
| 218 | |
| 219 | /** |
| 220 | * Binds an id generator for unique ACL rule id generation. |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 221 | * <p> |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 222 | * Note: A generator cannot be bound if there is already a generator bound. |
| 223 | * |
| 224 | * @param newIdGenerator id generator |
| 225 | */ |
| 226 | public static void bindIdGenerator(IdGenerator newIdGenerator) { |
| 227 | checkState(idGenerator == null, "Id generator is already bound."); |
| 228 | idGenerator = checkNotNull(newIdGenerator); |
| 229 | } |
| 230 | |
| 231 | public RuleId id() { |
| 232 | return id; |
| 233 | } |
| 234 | |
| 235 | public Ip4Prefix srcIp() { |
| 236 | return srcIp; |
| 237 | } |
| 238 | |
| 239 | public Ip4Prefix dstIp() { |
| 240 | return this.dstIp; |
| 241 | } |
| 242 | |
| 243 | public byte ipProto() { |
| 244 | return ipProto; |
| 245 | } |
| 246 | |
| 247 | public short dstTpPort() { |
| 248 | return dstTpPort; |
| 249 | } |
| 250 | |
| 251 | public Action action() { |
| 252 | return action; |
| 253 | } |
| 254 | |
| 255 | @Override |
| 256 | public int hashCode() { |
Thomas Vachuska | 9bb3235 | 2015-09-25 11:31:22 -0700 | [diff] [blame] | 257 | return Objects.hash(action, id.fingerprint(), ipProto, srcIp, dstIp, dstTpPort); |
Pengfei Lu | e0c02e2 | 2015-07-07 15:41:31 +0800 | [diff] [blame] | 258 | } |
| 259 | |
| 260 | @Override |
| 261 | public boolean equals(Object obj) { |
| 262 | if (this == obj) { |
| 263 | return true; |
| 264 | } |
| 265 | if (obj instanceof AclRule) { |
| 266 | AclRule that = (AclRule) obj; |
| 267 | return Objects.equals(id, that.id) && |
| 268 | Objects.equals(srcIp, that.srcIp) && |
| 269 | Objects.equals(dstIp, that.dstIp) && |
| 270 | Objects.equals(ipProto, that.ipProto) && |
| 271 | Objects.equals(dstTpPort, that.dstTpPort) && |
| 272 | Objects.equals(action, that.action); |
| 273 | } |
| 274 | return false; |
| 275 | } |
| 276 | |
| 277 | @Override |
| 278 | public String toString() { |
| 279 | return MoreObjects.toStringHelper(this) |
| 280 | .omitNullValues() |
| 281 | .add("id", id) |
| 282 | .add("srcIp", srcIp) |
| 283 | .add("dstIp", dstIp) |
| 284 | .add("ipProto", ipProto) |
| 285 | .add("dstTpPort", dstTpPort) |
| 286 | .add("action", action) |
| 287 | .toString(); |
| 288 | } |
| 289 | |
| 290 | } |