OpenSDN source code
acl.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2013 Juniper Networks, Inc. All rights reserved.
3  */
4 
5 #ifndef __AGENT_ACL_N_H__
6 #define __AGENT_ACL_N_H__
7 
8 #include <boost/intrusive/list.hpp>
9 #include <boost/uuid/uuid.hpp>
10 #include <boost/intrusive_ptr.hpp>
11 
12 #include <oper/oper_db.h>
13 #include <filter/traffic_action.h>
14 #include <filter/acl_entry_match.h>
15 #include <filter/acl_entry_spec.h>
16 #include <filter/acl_entry.h>
17 #include <filter/packet_header.h>
18 
19 struct FlowKey;
20 class VnEntry;
21 class Interface;
22 
23 struct FlowPolicyInfo {
24  std::string uuid;
25  bool drop;
26  bool terminal;
27  bool other;
28  std::string src_match_vn; // source VN that matched
29  std::string dst_match_vn; // destination VN that matched
30  std::string acl_name;
31  FlowPolicyInfo(const std::string &u);
32 };
33 
34 struct FlowAction {
35  FlowAction():
36  action(0), mirror_l() {};
37  ~FlowAction() { };
38 
39  void Clear() {
40  action = 0;
41  mirror_l.clear();
42  qos_config_action_.clear();
43  };
44 
45  uint32_t action;
46  std::vector<MirrorActionSpec> mirror_l;
47  VrfTranslateActionSpec vrf_translate_action_;
48  QosConfigActionSpec qos_config_action_;
49 };
50 
51 struct MatchAclParams {
52  MatchAclParams(): acl(NULL), ace_id_list(), terminal_rule(false) {}
53  ~MatchAclParams() { };
54 
55  AclDBEntryConstRef acl;
56  AclEntryIDList ace_id_list;
57  FlowAction action_info;
58  bool terminal_rule;
59 };
60 
61 struct AclKey : public AgentOperDBKey {
62  AclKey(const boost::uuids::uuid &id) : AgentOperDBKey(), uuid_(id) {} ;
63  virtual ~AclKey() {};
64 
65  boost::uuids::uuid uuid_;
66 };
67 
68 struct AclData: public AgentOperDBData {
69  AclData(Agent *agent, IFMapNode *node, AclSpec &aclspec) :
70  AgentOperDBData(agent, node), ace_id_to_del_(0), ace_add(false),
71  acl_spec_(aclspec) {
72  }
73  AclData(Agent *agent, IFMapNode *node, int ace_id_to_del) :
74  AgentOperDBData(agent, node), ace_id_to_del_(ace_id_to_del) {
75  }
76  virtual ~AclData() { }
77 
78  // Delete a particular ace
79  int ace_id_to_del_;
80  // true: add to existing aces, false:replace existing aces with specified in the spec
81  bool ace_add;
82  std::string cfg_name_;
83  AclSpec acl_spec_;
84 };
85 
86 struct AclResyncQosConfigData : public AgentOperDBData {
87  AclResyncQosConfigData(Agent *agent, IFMapNode *node) :
88  AgentOperDBData(agent, node) {}
89 };
90 
91 class AclDBEntry : AgentRefCount<AclDBEntry>, public AgentOperDBEntry {
92 public:
93  typedef boost::intrusive::member_hook<AclEntry,
94  boost::intrusive::list_member_hook<>,
95  &AclEntry::acl_list_node> AclEntryNode;
96  typedef boost::intrusive::list<AclEntry, AclEntryNode> AclEntries;
97 
98  AclDBEntry(const boost::uuids::uuid &id) :
99  AgentOperDBEntry(), uuid_(id), dynamic_acl_(false) {
100  }
101  ~AclDBEntry() {
102  }
103 
104  bool IsLess(const DBEntry &rhs) const;
105  KeyPtr GetDBRequestKey() const;
106  void SetKey(const DBRequestKey *key);
107  std::string ToString() const;
108  uint32_t GetRefCount() const {
109  return AgentRefCount<AclDBEntry>::GetRefCount();
110  }
111  const boost::uuids::uuid &GetUuid() const {return uuid_;};
112  const std::string &GetName() const {return name_;};
113  void SetName(const std::string name) {name_ = name;};
114  bool DBEntrySandesh(Sandesh *resp, std::string &name) const;
115  void SetAclSandeshData(AclSandeshData &data) const;
116 
117  // ACL methods
118  //AclEntry *AddAclEntry(const AclEntrySpec &acl_entry_spec);
119  AclEntry *AddAclEntry(const AclEntrySpec &acl_entry_spec, AclEntries &entries);
120  bool DeleteAclEntry(const uint32_t acl_entry_id);
121  void DeleteAllAclEntries();
122  uint32_t Size() const {return acl_entries_.size();};
123  void SetAclEntries(AclEntries &entries);
124  void SetDynamicAcl(bool dyn) {dynamic_acl_ = dyn;};
125  bool GetDynamicAcl () const {return dynamic_acl_;};
126 
127  // Packet Match
128  bool PacketMatch(const PacketHeader &packet_header, MatchAclParams &m_acl,
129  FlowPolicyInfo *info) const;
130  bool Changed(const AclEntries &new_acl_entries) const;
131  uint32_t ace_count() const { return acl_entries_.size();}
132  bool IsRulePresent(const std::string &uuid) const;
133  bool ResyncQosConfigEntries();
134  bool IsQosConfigResolved();
135  bool Isresolved();
136  const AclEntry* GetAclEntryAtIndex(uint32_t) const;
137 private:
138  friend class AclTable;
139  boost::uuids::uuid uuid_;
140  bool dynamic_acl_;
141  std::string name_;
142  AclEntries acl_entries_;
143  DISALLOW_COPY_AND_ASSIGN(AclDBEntry);
144 };
145 
146 class AclTable : public AgentOperDBTable {
147 public:
148  typedef std::map<std::string, TrafficAction::Action> TrafficActionMap;
149  typedef std::set<AclDBEntry*> UnResolvedAclEntries;
150 
151  // Packet module is optional. Callback function to update the flow stats
152  // for ACL. The callback is defined to avoid linking error
153  // when flow is not enabled
154  typedef boost::function<void(const AclDBEntry *acl, AclFlowCountResp &data,
155  const std::string &ace_id)> FlowAceSandeshDataFn;
156  typedef boost::function<void(const AclDBEntry *acl, AclFlowResp &data,
157  const int last_count)> FlowAclSandeshDataFn;
158 
159  AclTable(DB *db, const std::string &name) : AgentOperDBTable(db, name) { }
160  virtual ~AclTable() { }
161  void GetTables(DB *db) { };
162 
163  virtual std::unique_ptr<DBEntry> AllocEntry(const DBRequestKey *k) const;
164  virtual size_t Hash(const DBEntry *entry) const {return 0;};
165  virtual size_t Hash(const DBRequestKey *key) const {return 0;};
166 
167  virtual DBEntry *OperDBAdd(const DBRequest *req);
168  virtual bool OperDBOnChange(DBEntry *entry, const DBRequest *req);
169  virtual bool OperDBDelete(DBEntry *entry, const DBRequest *req);
170  virtual bool OperDBResync(DBEntry *entry, const DBRequest *req);
171 
172  virtual bool IFNodeToReq(IFMapNode *node, DBRequest &req,
173  const boost::uuids::uuid &u);
174  void FirewallPolicyIFNodeToReq(IFMapNode *node, DBRequest &req,
175  const boost::uuids::uuid &u,
176  AclSpec &acl_spec);
177  void AclIFNodeToReq(IFMapNode *node, DBRequest &req,
178  const boost::uuids::uuid &u,
179  AclSpec &acl_spec);
180  virtual bool IFNodeToUuid(IFMapNode *node, boost::uuids::uuid &u);
181  virtual AgentSandeshPtr GetAgentSandesh(const AgentSandeshArguments *args,
182  const std::string &context);
183 
184  static DBTableBase *CreateTable(DB *db, const std::string &name);
185  TrafficAction::Action ConvertActionString(std::string action) const;
186  static void AclFlowResponse(const std::string acl_uuid_str,
187  const std::string ctx, const int last_count);
188  static void AclFlowCountResponse(const std::string acl_uuid_str,
189  const std::string ctx,
190  const std::string &ace_id);
191  void set_ace_flow_sandesh_data_cb(FlowAceSandeshDataFn fn);
192  void set_acl_flow_sandesh_data_cb(FlowAclSandeshDataFn fn);
193  void ListenerInit();
194  void Notify(DBTablePartBase *partition, DBEntryBase *e);
195  void AddUnresolvedEntry(AclDBEntry *entry);
196  void DeleteUnresolvedEntry(AclDBEntry *entry);
197 private:
198  bool SubnetTypeEqual(const autogen::SubnetType &lhs,
199  const autogen::SubnetType &rhs) const;
200  bool AddressTypeEqual(const autogen::AddressType &lhs,
201  const autogen::AddressType &rhs) const;
202  bool PortTypeEqual(const autogen::PortType &src,
203  const autogen::PortType &dst) const;
204  static const AclDBEntry* GetAclDBEntry(const std::string uuid_str,
205  const std::string ctx,
206  SandeshResponse *resp);
207  void AddImplicitRule(AclSpec &acl_spec, AclEntrySpec &ace_spec,
208  const autogen::FirewallRule *rule);
209  void PopulateServicePort(AclEntrySpec &ace_spec, IFMapNode *node);
210  IFMapNode *GetFirewallRule(IFMapNode *node);
211  void ActionInit();
212  DBTableBase::ListenerId qos_config_listener_id_;
213  UnResolvedAclEntries unresolved_acl_entries_;
214  TrafficActionMap ta_map_;
215  FlowAceSandeshDataFn flow_ace_sandesh_data_cb_;
216  FlowAclSandeshDataFn flow_acl_sandesh_data_cb_;
217  DISALLOW_COPY_AND_ASSIGN(AclTable);
218 };
219 
220 extern SandeshTraceBufferPtr AclTraceBuf;
221 
222 #define ACL_TRACE(obj, ...)\
223 do {\
224  Acl##obj::TraceMsg(AclTraceBuf, __FILE__, __LINE__, ##__VA_ARGS__);\
225 } while (false)
226 
227 #endif
AclTraceBuf
SandeshTraceBufferPtr AclTraceBuf
acl_entry.h
AclEntryIDList
std::vector< AclEntryID > AclEntryIDList
Definition: acl_entry.h:85
acl_entry_match.h
acl_entry_spec.h
AclDBEntryConstRef
boost::intrusive_ptr< const AclDBEntry > AclDBEntryConstRef
Definition: agent.h:143
AgentSandeshPtr
class boost::shared_ptr< AgentSandesh > AgentSandeshPtr
Definition: agent_db.h:20
AclDBEntry
Definition: acl.h:91
AclDBEntry::SetDynamicAcl
void SetDynamicAcl(bool dyn)
Definition: acl.h:124
AclDBEntry::GetName
const std::string & GetName() const
Definition: acl.h:112
AclDBEntry::ace_count
uint32_t ace_count() const
Definition: acl.h:131
AclDBEntry::AclEntryNode
boost::intrusive::member_hook< AclEntry, boost::intrusive::list_member_hook<>, &AclEntry::acl_list_node > AclEntryNode
Definition: acl.h:95
AclDBEntry::AclEntries
boost::intrusive::list< AclEntry, AclEntryNode > AclEntries
Definition: acl.h:96
AclDBEntry::GetUuid
const boost::uuids::uuid & GetUuid() const
Definition: acl.h:111
AclDBEntry::PacketMatch
bool PacketMatch(const PacketHeader &packet_header, MatchAclParams &m_acl, FlowPolicyInfo *info) const
Definition: acl.cc:798
AclDBEntry::GetDynamicAcl
bool GetDynamicAcl() const
Definition: acl.h:125
AclDBEntry::AclDBEntry
AclDBEntry(const boost::uuids::uuid &id)
Definition: acl.h:98
AclDBEntry::IsLess
bool IsLess(const DBEntry &rhs) const
Definition: acl.cc:47
AclDBEntry::IsRulePresent
bool IsRulePresent(const std::string &uuid) const
Definition: acl.cc:937
AclDBEntry::ResyncQosConfigEntries
bool ResyncQosConfigEntries()
Definition: acl.cc:712
AclDBEntry::ToString
std::string ToString() const
Definition: acl.cc:52
AclDBEntry::DeleteAllAclEntries
void DeleteAllAclEntries()
Definition: acl.cc:786
AclDBEntry::~AclDBEntry
~AclDBEntry()
Definition: acl.h:101
AclDBEntry::DBEntrySandesh
bool DBEntrySandesh(Sandesh *resp, std::string &name) const
Definition: acl.cc:68
AclDBEntry::acl_entries_
AclEntries acl_entries_
Definition: acl.h:142
AclDBEntry::GetAclEntryAtIndex
const AclEntry * GetAclEntryAtIndex(uint32_t) const
Definition: acl.cc:888
AclDBEntry::SetAclEntries
void SetAclEntries(AclEntries &entries)
Definition: acl.cc:687
AclDBEntry::name_
std::string name_
Definition: acl.h:141
AclDBEntry::SetAclSandeshData
void SetAclSandeshData(AclSandeshData &data) const
Definition: acl.cc:89
AclDBEntry::Isresolved
bool Isresolved()
AclDBEntry::SetName
void SetName(const std::string name)
Definition: acl.h:113
AclDBEntry::uuid_
boost::uuids::uuid uuid_
Definition: acl.h:139
AclDBEntry::IsQosConfigResolved
bool IsQosConfigResolved()
Definition: acl.cc:699
AclDBEntry::DISALLOW_COPY_AND_ASSIGN
DISALLOW_COPY_AND_ASSIGN(AclDBEntry)
AclDBEntry::DeleteAclEntry
bool DeleteAclEntry(const uint32_t acl_entry_id)
Definition: acl.cc:768
AclDBEntry::GetDBRequestKey
KeyPtr GetDBRequestKey() const
Definition: acl.cc:58
AclDBEntry::dynamic_acl_
bool dynamic_acl_
Definition: acl.h:140
AclDBEntry::Size
uint32_t Size() const
Definition: acl.h:122
AclDBEntry::SetKey
void SetKey(const DBRequestKey *key)
Definition: acl.cc:63
AclDBEntry::AddAclEntry
AclEntry * AddAclEntry(const AclEntrySpec &acl_entry_spec, AclEntries &entries)
Definition: acl.cc:726
AclDBEntry::Changed
bool Changed(const AclEntries &new_acl_entries) const
Definition: acl.cc:902
AclDBEntry::GetRefCount
uint32_t GetRefCount() const
Definition: acl.h:108
AclEntry::acl_list_node
boost::intrusive::list_member_hook acl_list_node
Definition: acl_entry.h:123
AclTable
Definition: acl.h:146
AclTable::AddImplicitRule
void AddImplicitRule(AclSpec &acl_spec, AclEntrySpec &ace_spec, const autogen::FirewallRule *rule)
Definition: acl.cc:495
AclTable::unresolved_acl_entries_
UnResolvedAclEntries unresolved_acl_entries_
Definition: acl.h:213
AclTable::IFNodeToUuid
virtual bool IFNodeToUuid(IFMapNode *node, boost::uuids::uuid &u)
Definition: acl.cc:403
AclTable::Hash
virtual size_t Hash(const DBEntry *entry) const
Definition: acl.h:164
AclTable::OperDBAdd
virtual DBEntry * OperDBAdd(const DBRequest *req)
Definition: acl.cc:107
AclTable::set_ace_flow_sandesh_data_cb
void set_ace_flow_sandesh_data_cb(FlowAceSandeshDataFn fn)
Definition: acl.cc:1576
AclTable::AclIFNodeToReq
void AclIFNodeToReq(IFMapNode *node, DBRequest &req, const boost::uuids::uuid &u, AclSpec &acl_spec)
Definition: acl.cc:607
AclTable::FlowAceSandeshDataFn
boost::function< void(const AclDBEntry *acl, AclFlowCountResp &data, const std::string &ace_id)> FlowAceSandeshDataFn
Definition: acl.h:155
AclTable::OperDBResync
virtual bool OperDBResync(DBEntry *entry, const DBRequest *req)
Definition: acl.cc:199
AclTable::TrafficActionMap
std::map< std::string, TrafficAction::Action > TrafficActionMap
Definition: acl.h:148
AclTable::flow_ace_sandesh_data_cb_
FlowAceSandeshDataFn flow_ace_sandesh_data_cb_
Definition: acl.h:215
AclTable::FirewallPolicyIFNodeToReq
void FirewallPolicyIFNodeToReq(IFMapNode *node, DBRequest &req, const boost::uuids::uuid &u, AclSpec &acl_spec)
Definition: acl.cc:506
AclTable::AddUnresolvedEntry
void AddUnresolvedEntry(AclDBEntry *entry)
Definition: acl.cc:228
AclTable::set_acl_flow_sandesh_data_cb
void set_acl_flow_sandesh_data_cb(FlowAclSandeshDataFn fn)
Definition: acl.cc:1580
AclTable::DISALLOW_COPY_AND_ASSIGN
DISALLOW_COPY_AND_ASSIGN(AclTable)
AclTable::Notify
void Notify(DBTablePartBase *partition, DBEntryBase *e)
Definition: acl.cc:236
AclTable::FlowAclSandeshDataFn
boost::function< void(const AclDBEntry *acl, AclFlowResp &data, const int last_count)> FlowAclSandeshDataFn
Definition: acl.h:157
AclTable::PopulateServicePort
void PopulateServicePort(AclEntrySpec &ace_spec, IFMapNode *node)
Definition: acl.cc:454
AclTable::Hash
virtual size_t Hash(const DBRequestKey *key) const
Definition: acl.h:165
AclTable::GetTables
void GetTables(DB *db)
Definition: acl.h:161
AclTable::PortTypeEqual
bool PortTypeEqual(const autogen::PortType &src, const autogen::PortType &dst) const
Definition: acl.cc:598
AclTable::ActionInit
void ActionInit()
Definition: acl.cc:211
AclTable::CreateTable
static DBTableBase * CreateTable(DB *db, const std::string &name)
Definition: acl.cc:274
AclTable::OperDBDelete
virtual bool OperDBDelete(DBEntry *entry, const DBRequest *req)
Definition: acl.cc:203
AclTable::GetAgentSandesh
virtual AgentSandeshPtr GetAgentSandesh(const AgentSandeshArguments *args, const std::string &context)
Definition: acl.cc:986
AclTable::IFNodeToReq
virtual bool IFNodeToReq(IFMapNode *node, DBRequest &req, const boost::uuids::uuid &u)
Definition: acl.cc:650
AclTable::qos_config_listener_id_
DBTableBase::ListenerId qos_config_listener_id_
Definition: acl.h:212
AclTable::AclFlowResponse
static void AclFlowResponse(const std::string acl_uuid_str, const std::string ctx, const int last_count)
Definition: acl.cc:949
AclTable::GetFirewallRule
IFMapNode * GetFirewallRule(IFMapNode *node)
Definition: acl.cc:474
AclTable::GetAclDBEntry
static const AclDBEntry * GetAclDBEntry(const std::string uuid_str, const std::string ctx, SandeshResponse *resp)
Definition: acl.cc:921
AclTable::flow_acl_sandesh_data_cb_
FlowAclSandeshDataFn flow_acl_sandesh_data_cb_
Definition: acl.h:216
AclTable::ta_map_
TrafficActionMap ta_map_
Definition: acl.h:214
AclTable::OperDBOnChange
virtual bool OperDBOnChange(DBEntry *entry, const DBRequest *req)
Definition: acl.cc:127
AclTable::AllocEntry
virtual std::unique_ptr< DBEntry > AllocEntry(const DBRequestKey *k) const
Definition: acl.cc:101
AclTable::AclFlowCountResponse
static void AclFlowCountResponse(const std::string acl_uuid_str, const std::string ctx, const std::string &ace_id)
Definition: acl.cc:965
AclTable::SubnetTypeEqual
bool SubnetTypeEqual(const autogen::SubnetType &lhs, const autogen::SubnetType &rhs) const
Definition: acl.cc:565
AclTable::UnResolvedAclEntries
std::set< AclDBEntry * > UnResolvedAclEntries
Definition: acl.h:149
AclTable::~AclTable
virtual ~AclTable()
Definition: acl.h:160
AclTable::AddressTypeEqual
bool AddressTypeEqual(const autogen::AddressType &lhs, const autogen::AddressType &rhs) const
Definition: acl.cc:574
AclTable::ListenerInit
void ListenerInit()
Definition: acl.cc:268
AclTable::AclTable
AclTable(DB *db, const std::string &name)
Definition: acl.h:159
AclTable::ConvertActionString
TrafficAction::Action ConvertActionString(std::string action) const
Definition: acl.cc:218
AclTable::DeleteUnresolvedEntry
void DeleteUnresolvedEntry(AclDBEntry *entry)
Definition: acl.cc:232
AgentRefCount::GetRefCount
uint32_t GetRefCount() const
Definition: agent_db.h:56
Agent
Definition: agent.h:360
DBEntryBase::KeyPtr
std::unique_ptr< DBRequestKey > KeyPtr
Definition: db_entry.h:24
DBTableBase::ListenerId
int ListenerId
Definition: db_table.h:62
DBTableBase::name
const std::string & name() const
Definition: db_table.h:110
DB
Definition: db.h:24
VnEntry
Definition: vn.h:151
oper_db.h
packet_header.h
SandeshTraceBufferPtr
boost::shared_ptr< TraceBuffer< SandeshTrace > > SandeshTraceBufferPtr
Definition: sandesh_trace.h:18
AclData
Definition: acl.h:68
AclData::acl_spec_
AclSpec acl_spec_
Definition: acl.h:83
AclData::cfg_name_
std::string cfg_name_
Definition: acl.h:82
AclData::ace_id_to_del_
int ace_id_to_del_
Definition: acl.h:79
AclData::ace_add
bool ace_add
Definition: acl.h:81
AclData::AclData
AclData(Agent *agent, IFMapNode *node, AclSpec &aclspec)
Definition: acl.h:69
AclData::AclData
AclData(Agent *agent, IFMapNode *node, int ace_id_to_del)
Definition: acl.h:73
AclData::~AclData
virtual ~AclData()
Definition: acl.h:76
AclKey
Definition: acl.h:61
AclKey::~AclKey
virtual ~AclKey()
Definition: acl.h:63
AclKey::uuid_
boost::uuids::uuid uuid_
Definition: acl.h:63
AclKey::AclKey
AclKey(const boost::uuids::uuid &id)
Definition: acl.h:62
AclResyncQosConfigData::AclResyncQosConfigData
AclResyncQosConfigData(Agent *agent, IFMapNode *node)
Definition: acl.h:87
AgentOperDBData::agent
const Agent * agent() const
Definition: oper_db.h:65
FlowAction
Definition: acl.h:34
FlowAction::~FlowAction
~FlowAction()
Definition: acl.h:37
FlowAction::vrf_translate_action_
VrfTranslateActionSpec vrf_translate_action_
Definition: acl.h:47
FlowAction::Clear
void Clear()
Definition: acl.h:39
FlowAction::mirror_l
std::vector< MirrorActionSpec > mirror_l
Definition: acl.h:46
FlowAction::FlowAction
FlowAction()
Definition: acl.h:35
FlowAction::action
uint32_t action
Definition: acl.h:43
FlowAction::qos_config_action_
QosConfigActionSpec qos_config_action_
Definition: acl.h:48
FlowPolicyInfo::dst_match_vn
std::string dst_match_vn
Definition: acl.h:29
FlowPolicyInfo::uuid
std::string uuid
Definition: acl.h:24
FlowPolicyInfo::FlowPolicyInfo
FlowPolicyInfo(const std::string &u)
Definition: acl.cc:42
FlowPolicyInfo::other
bool other
Definition: acl.h:27
FlowPolicyInfo::terminal
bool terminal
Definition: acl.h:26
FlowPolicyInfo::src_match_vn
std::string src_match_vn
Definition: acl.h:28
FlowPolicyInfo::drop
bool drop
Definition: acl.h:25
FlowPolicyInfo::acl_name
std::string acl_name
Definition: acl.h:30
MatchAclParams::acl
AclDBEntryConstRef acl
Definition: acl.h:53
MatchAclParams::ace_id_list
AclEntryIDList ace_id_list
Definition: acl.h:56
MatchAclParams::terminal_rule
bool terminal_rule
Definition: acl.h:58
MatchAclParams::action_info
FlowAction action_info
Definition: acl.h:57
MatchAclParams::~MatchAclParams
~MatchAclParams()
Definition: acl.h:53
MatchAclParams::MatchAclParams
MatchAclParams()
Definition: acl.h:52
traffic_action.h
uuid
boost::uuids::uuid uuid
Definition: vnsw/agent/filter/policy.h:11