Added drop rules to prevent packets for virtual networks go out

through the physical network Change-Id: I84dddb0c7ca4764c00566c29c163badc8d5c538f

Added drop rules to prevent packets for virtual networks go out
through the physical network Change-Id: I84dddb0c7ca4764c00566c29c163badc8d5c538f
Hyunsun Moon · Gerrit Code Review
Commit 81ab23b3eb4c925aabd09bc714eec5ca5a916635 81ab23b3 1 parent 9186613c
Showing 1 changed file with 33 additions and 1 deletions
apps/cordvtn/src/main/java/org/onosproject/cordvtn/CordVtnRuleInstaller.java
--- a/apps/cordvtn/src/main/java/org/onosproject/cordvtn/CordVtnRuleInstaller.java
View file @81ab23b
+++ b/apps/cordvtn/src/main/java/org/onosproject/cordvtn/CordVtnRuleInstaller.java
View file @81ab23b
@@ -196,6 +196,7 @@ public class CordVtnRuleInstaller {
 
         populateLocalInPortRule(deviceId, inPort, hostIp);
         populateDirectAccessRule(Ip4Prefix.valueOf(subnet.cidr()), Ip4Prefix.valueOf(subnet.cidr()));
+         populateServiceIsolationRule(Ip4Prefix.valueOf(subnet.cidr()));
         populateDstIpRule(deviceId, inPort, dstMac, hostIp, tunnelId, tunnelIp);
         populateTunnelInRule(deviceId, inPort, dstMac, tunnelId);
     }
@@ -785,6 +786,37 @@ public class CordVtnRuleInstaller {
                     .fromApp(appId)
                     .withSelector(selector)
                     .withTreatment(treatment)
+                     .withPriority(DEFAULT_PRIORITY)
+                     .forDevice(device.id())
+                     .forTable(TABLE_ACCESS_TYPE)
+                     .makePermanent()
+                     .build();
+ 
+             processFlowRule(true, flowRuleDirect);
+         }
+     }
+ 
+     /**
+      * Populates drop rules that does not match any direct access rules but has
+      * destination to a different service network in ACCESS_TYPE table.
+      *
+      * @param dstRange destination ip range
+      */
+     private void populateServiceIsolationRule(Ip4Prefix dstRange) {
+         TrafficSelector selector = DefaultTrafficSelector.builder()
+                 .matchEthType(Ethernet.TYPE_IPV4)
+                 .matchIPDst(dstRange)
+                 .build();
+ 
+         TrafficTreatment treatment = DefaultTrafficTreatment.builder()
+                 .drop()
+                 .build();
+ 
+         for (Device device : deviceService.getAvailableDevices(SWITCH)) {
+             FlowRule flowRuleDirect = DefaultFlowRule.builder()
+                     .fromApp(appId)
+                     .withSelector(selector)
+                     .withTreatment(treatment)
                     .withPriority(LOW_PRIORITY)
                     .forDevice(device.id())
                     .forTable(TABLE_ACCESS_TYPE)
@@ -820,7 +852,7 @@ public class CordVtnRuleInstaller {
                     .fromApp(appId)
                     .withSelector(selector)
                     .withTreatment(treatment)
-                     .withPriority(DEFAULT_PRIORITY)
+                     .withPriority(HIGH_PRIORITY)
                     .forDevice(outGroup.getKey())
                     .forTable(TABLE_ACCESS_TYPE)
                     .makePermanent()