Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
Read is supported only for acls that were created and assigned by Honeycomb agent
- (corresponding metadata are present).
+ (corresponding metadata is present).
+
+ Extensions:
+ - mixing ACEs of different type in one list is permited
+ - mixing L2/L3/L4 rules in one ACE is permited
Limitations (due to vpp limitations):
- egress rules are currently ignored (HONEYCOMB-234)
- - L4 rules are currently not supported (limited support will by provided by HONEYCOMB-218)
- - mixing L2 and L3 rules is possible only if ace-ip-version is provided
- (vpp classfier api limitation: common header fields for IP4/IP6 have different offsets)
- - L2 rules on L3 interfaces only to IP traffic (vpp classfier limitation)
+ - L4 rules support is limited (every <src,dst> port pair from provided ranges is translated to single classify
+ session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260)
+ - ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types,
+ and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets)
+ - L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation)
- vlan tags are supported only for sub-interfaces defined as exact-match";
list acl {
"5e93fbca-86d0-12a5-45fd-45d7dfa3bd40",
"5140ac58-342a-1576-8b0e-99eb8b3b1fb2",
"9f58c827-d698-fc60-ec49-c2ccbca97c35",
+ "93b5345a-434f-9459-26c2-dc2cad9176e0",
"4d3d06fe-8a64-d0e4-400a-79c4fbd6db73",
"33280f11-2d61-09d3-f726-9907ef00dc19",
"60d4ab79-dea1-de5a-63eb-6e26d3d1481b",
"d668c31c-b904-cd65-124c-dd2a89149b70",
"13b938a5-7a53-513f-44b9-33d869b8cb53",
+ "bca26b70-fe05-a1b4-f93a-1f683341d492",
"4442a2fd-497d-ee8d-22cd-43b72c358f67",
"161987f9-8912-f724-2f2d-d7548b12e8f9"
],
"rawModeData": "{\r\n \"acl\": [\r\n {\r\n \"acl-type\": \"vpp-acl:mixed-acl\",\r\n \"acl-name\": \"acl5\",\r\n \"access-list-entries\": {\r\n \"ace\": [\r\n {\r\n \"rule-name\": \"rule1(ip4+mac)\",\r\n \"matches\": {\r\n \"vpp-acl:destination-mac-address\": \"AA:BB:CC:DD:00:00\",\r\n \"vpp-acl:destination-mac-address-mask\": \"FF:FF:FF:FF:00:00\",\r\n \"vpp-acl:source-mac-address\": \"00:00:00:00:AA:BB\",\r\n \"vpp-acl:source-mac-address-mask\": \"00:00:00:00:FF:FF\",\r\n \"vpp-acl:destination-ipv4-network\": \"1.2.3.1/24\",\r\n \"vpp-acl:protocol\": \"4\",\r\n \"vpp-acl:dscp\": \"11\",\r\n \"vpp-acl:source-ipv4-network\": \"1.2.4.2/24\"\r\n },\r\n \"actions\": {\r\n \"deny\": {}\r\n }\r\n },\r\n {\r\n \"rule-name\": \"rule2(ip4+mac)\",\r\n \"matches\": {\r\n \"vpp-acl:source-mac-address\": \"01:02:03:04:05:06\",\r\n \"vpp-acl:destination-ipv4-network\": \"1.1.1.1/16\",\r\n \"vpp-acl:protocol\": \"4\",\r\n \"vpp-acl:dscp\": \"63\",\r\n \"vpp-acl:source-ipv4-network\": \"2.2.2.2/32\"\r\n },\r\n \"actions\": {\r\n \"deny\": {}\r\n }\r\n },\r\n {\r\n \"rule-name\": \"rule3(ip6+mac)\",\r\n \"matches\": {\r\n \"vpp-acl:destination-mac-address\": \"11:22:33:44:55:66\",\r\n \"vpp-acl:destination-ipv6-network\": \"1111:2222:3333:4444:5555:6666:7777:8888/64\"\r\n },\r\n \"actions\": {\r\n \"deny\": {}\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n ]\r\n}",
"folder": "c05d7211-11b0-5688-2079-afa51196045c"
},
+ {
+ "id": "93b5345a-434f-9459-26c2-dc2cad9176e0",
+ "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
+ "url": "http://localhost:8183/restconf/config/ietf-access-control-list:access-lists/acl/vpp-acl:mixed-acl/acl6",
+ "preRequestScript": "",
+ "pathVariables": {},
+ "method": "PUT",
+ "data": [],
+ "dataMode": "raw",
+ "version": 2,
+ "tests": "",
+ "currentHelper": "normal",
+ "helperAttributes": {},
+ "time": 1476780298679,
+ "name": "Write acl6 list (L4 rules)",
+ "description": "Deny any traffic where destination port is 80 and source port in range [1000,2000].",
+ "collectionId": "5bad4634-e5cf-900e-9733-0976aa9bea64",
+ "responses": [],
+ "rawModeData": "{\n\t\"acl\": [\n\t\t{\n\t\t\t\"acl-name\": \"acl6\", \n\t\t\t\"acl-type\": \"vpp-acl:mixed-acl\", \n\t\t\t\"access-list-entries\": {\n\t\t\t\t\"ace\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"matches\": {\n \"destination-ipv4-network\": \"0.0.0.0/0\",\n\t\t\t\t\t\t\t\"destination-port-range\": {\n\t\t\t\t\t\t\t\t\"lower-port\": 80\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t}, \n\t\t\t\t\t\t\t\"source-port-range\": {\n\t\t\t\t\t\t\t\t\"lower-port\": 1000,\n\t\t\t\t\t\t\t\t\"upper-port\": 2000\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}, \n\t\t\t\t\t\t\"actions\": {\n\t\t\t\t\t\t\t\"deny\": {}\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"rule-name\": \"rule1\"\n\t\t\t\t\t}]}}]}\n",
+ "folder": "c05d7211-11b0-5688-2079-afa51196045c"
+ },
{
"id": "4d3d06fe-8a64-d0e4-400a-79c4fbd6db73",
"headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
"rawModeData": "{\n\n \"acl\": [\n {\n \"type\" : \"vpp-acl:mixed-acl\",\n \"name\" : \"acl5\"\n }\n ]\n}",
"folder": "c05d7211-11b0-5688-2079-afa51196045c"
},
+ {
+ "id": "bca26b70-fe05-a1b4-f93a-1f683341d492",
+ "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
+ "url": "http://localhost:8183/restconf/config/ietf-interfaces:interfaces/interface/local0/ietf-acl/ingress/access-lists/acl/vpp-acl:mixed-acl/acl6",
+ "preRequestScript": "",
+ "pathVariables": {},
+ "method": "PUT",
+ "data": [],
+ "dataMode": "raw",
+ "version": 2,
+ "tests": "",
+ "currentHelper": "normal",
+ "helperAttributes": {},
+ "time": 1476778885469,
+ "name": "Enable L4 ACL on local0 interface",
+ "description": "Creates chain of classfy tabless/sessions in VPP and assigns them to local0 interface.\n\nCan be verified with:\nvppctl show classify table verbose\n\nthen (depending on acl mode):\n\nvppctl show inacl type l2\n\nor\n\nvppctl show inacl type ip4\n\nvppctl show inacl type ip6",
+ "collectionId": "5bad4634-e5cf-900e-9733-0976aa9bea64",
+ "responses": [],
+ "rawModeData": "{\n\n \"acl\": [\n {\n \"type\" : \"vpp-acl:mixed-acl\",\n \"name\" : \"acl6\"\n }\n ]\n}",
+ "folder": "c05d7211-11b0-5688-2079-afa51196045c"
+ },
{
"id": "4442a2fd-497d-ee8d-22cd-43b72c358f67",
"headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
private static boolean appliesToIp4Path(final Ace ace) {
final AceType aceType = ace.getMatches().getAceType();
- if (aceType instanceof AceIp && ((AceIp) aceType).getAceIpVersion() instanceof AceIpv4) {
+ final AclType aclType = AclType.fromAce(ace);
+ if (aclType == AclType.IP4) {
return true;
}
- if (aceType instanceof AceEth) {
+ if (aclType == AclType.ETH) {
return true; // L2 only rules are possible for IP4 traffic
}
- if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType)
+ if (aclType == AclType.ETH_AND_IP && ((AceIpAndEth) aceType)
.getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv4) {
return true;
}
private static boolean appliesToIp6Path(final Ace ace) {
final AceType aceType = ace.getMatches().getAceType();
- if (aceType instanceof AceIp && ((AceIp) aceType).getAceIpVersion() instanceof AceIpv6) {
+ final AclType aclType = AclType.fromAce(ace);
+ if (aclType == AclType.IP6) {
return true;
}
- if (aceType instanceof AceEth) {
- return true; // L2 only rules are possible for IP6 traffic
+ if (aclType == AclType.ETH) {
+ return true; // L2 only rules are possible for IP6 traffic
}
- if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType)
+ if (aclType == AclType.ETH_AND_IP && ((AceIpAndEth) aceType)
.getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv6) {
return true;
}
result = ETH;
} else if (aceType instanceof AceIp) {
final AceIpVersion aceIpVersion = ((AceIp) aceType).getAceIpVersion();
+ if (aceIpVersion == null) {
+ throw new IllegalArgumentException("Incomplete ACE (ip-version was not provided): " + ace);
+ }
if (aceIpVersion instanceof AceIpv4) {
result = IP4;
- } else {
+ } else if (aceIpVersion instanceof AceIpv6) {
result = IP6;
}
} else if (aceType instanceof AceIpAndEth) {
Code Review / honeycomb.git / commitdiff