PR for Security group for early feedback #156

er1cthe0ne · 2020-10-26T05:11:55Z

please remove the first three lines of extra header.

er1cthe0ne · 2020-10-26T05:13:26Z

ACA uses .clang-format to do automatic formatting. I have the setting in my IDE to auto-format on file save. Please see if you can do similar settings in your IDE.

-Original file line number
+Diff line change
@@ -0,0 +1,188 @@
+    //
+    // Created by Administrator on 2020/10/12.
+    //
+    // Copyright 2019 The Alcor Authors.
+    //
+    // Licensed under the Apache License, Version 2.0 (the "License");
+    // you may not use this file except in compliance with the License.
+    // You may obtain a copy of the License at
+    //
+    //     http://www.apache.org/licenses/LICENSE-2.0
+    //
+    // Unless required by applicable law or agreed to in writing, software
+    // distributed under the License is distributed on an "AS IS" BASIS,
+    // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    // See the License for the specific language governing permissions and
+    // limitations under the License.
+    #ifndef ALCOR_CONTROL_AGENT_SECURITY_GROUP_H
+    #define ALCOR_CONTROL_AGENT_SECURITY_GROUP_H
+    #include <stdint.h>
+    #include <string>
+    #include <map>
+    #include <vector>
+    #include <set>
+    using namespace std;
+    namespace aca_security_group
+    {
+    enum OperationType {
+    	CREATE=1,
+    	UPDATE,
+    	DELETE,
+    	UNKNOWN_OPERATION,
+    };
+    enum Direction {
+    	INGRESS=1,
+    	EGRESS,
+    	UNKNOWN_DIRECTION,
+    };
+    enum Ethertype {
+    	IPV4=0x0800,
+    	ARP=0x0806,
+    	IPV6=0x86dd,
+    	UNKNOWN_ETHERTYPE,
+    };
+    enum Protocol {
+    	TCP=6,
+    	UDP=17,
+    	ICMP=1,
+    	UNKNOWN_PROTO
+    };
+    class Aca_Security_Group;
+    class Aca_Security_Group_Rule {
+    public:
+        static Aca_Security_Group_Rule &get_instance();
+        void set_id(string id);
+    	string get_id(void);
+    	void set_name(string name);
+    	string get_name(void);
+    	void set_cookie(uint64_t cookie);
+    	uint64_t get_cookie(void);
+    	void set_direction(Direction direction);
+    	Direction get_direction(void);
+    	void set_ethertype(Ethertype ethertype);
+    	Ethertype get_ethertype(void);
+    	void set_protocol(Protocol protocol);
+    	Protocol get_protocol(void);
+    	uint32_t get_port_range_min(void);
+    	void set_port_range_min(uint32_t port_range_min);
+    	uint32_t get_port_range_max(void);
+    	void set_port_range_max(uint32_t port_range_max);
+    	string get_remote_ip_prefix(void);
+    	void set_remote_ip_prefix(string remote_ip_prefix);
+    	void set_remote_group_id(string remote_group_id);
+    	string get_remote_group_id(void);
+    	void set_operation_type(OperationType operation_type);
+    	OperationType get_operation_type(void);
+    	void set_remote_group(Aca_Security_Group * remote_group);
+    	Aca_Security_Group * get_remote_group(void);
+    private:
+    	string id;
+    	string name;
+    	uint64_t cookie;
+    	Direction direction;
+    	Ethertype ethertype;
+    	Protocol protocol;
+    	uint32_t port_range_min;
+    	uint32_t port_range_max;
+    	string remote_ip_prefix;
+    	string remote_group_id;
+    	OperationType operation_type;
+    	Aca_Security_Group *remote_group;
+    };
+    class Aca_Security_Group {
+    public:
+    	Aca_Security_Group();
+    	Aca_Security_Group(Aca_Security_Group &sg);
+        void set_id(string id);
+    	string get_id(void);
+    	void set_name(string name);
+    	string get_name(void);
+    	void set_format_version(uint32_t format_version);
+    	uint32_t get_format_version(void);
+    	void set_revision_number(uint32_t revision_number);
+    	uint32_t get_revision_number(void);
+    	void set_vpc_id(string vpc_id);
+    	string get_vpc_id(void);
+    	void set_operation_type(OperationType operation_type);
+    	OperationType get_operation_type(void);
+    	void add_port_id(string port_id);
+    	void delete_port_id(string port_id);
+    	int get_port_num(void);
+    	set<string> &get_port_ids(void);
+    	void add_security_group_rule(Aca_Security_Group_Rule *sg_rule);
+    	void update_security_group_rule(Aca_Security_Group_Rule *sg_rule);
+    	void delete_security_group_rule(string sg_rule_id);
+    	Aca_Security_Group_Rule* get_security_group_rule(string sg_rule_id);
+    	map<string, Aca_Security_Group_Rule *> get_security_group_rules();
+    private:
+    	string id;
+    	string name;
+    	uint32_t format_version;
+    	uint32_t revision_number;
+    	string vpc_id;
+    	OperationType operation_type;
+    	set<string> port_ids;
+    	map<string, Aca_Security_Group_Rule *> rules;
+    };
+    class Aca_Port {
+    public:
+    	Aca_Port();
+    	Aca_Port(Aca_Port &port);
+        void set_id(string id);
+    	string get_id(void);
+    	void set_name(string name);
+    	string get_name(void);
+    	void set_ofport(uint32_t ofport);
+    	uint32_t get_ofport(void);
+    	void set_vni(uint32_t vni);
+    	uint32_t get_vni(void);
+    	void set_format_version(uint32_t format_version);
+    	uint32_t get_format_version(void);
+    	void set_revision_number(uint32_t revision_number);
+    	uint32_t get_revision_number(void);
+    	void set_vpc_id(string vpc_id);
+    	string get_vpc_id(void);
+    	void set_mac_address(string mac_address);
+    	string get_mac_address(void);
+    	void add_fixed_ip(string fixed_ip);
+    	vector<string> &get_fixed_ip(void);
+    	void add_security_group_id(string security_group_id);
+    	void delete_security_group_id(string security_group_id);
+    	int get_security_group_num(void);
+    	void add_allow_address_pair(string ip_address, string mac_address);
+    	int allow_address_pairs_size(void);
+    	vector<pair<string, string>> get_allow_address_pairs(void);
+    	void add_security_group(Aca_Security_Group *security_group);
+    	Aca_Security_Group *get_security_group(string sg_id);
+    private:
+    	string id;
+    	string name;
+    	uint32_t ofport;
+    	uint32_t vni;
+    	uint32_t format_version;
+    	uint32_t revision_number;
+    	string vpc_id;
+    	string mac_address;
+    	vector<string> fixed_ips;
+    	set<string> security_group_ids;
+    	vector<pair<string, string>> allow_address_pairs;
+    	map<string, Aca_Security_Group *> security_groups;
+    };
+    }
+    #endif //ALCOR_CONTROL_AGENT_SECURITY_GROUP_H

-Original file line number
+Diff line change
@@ -0,0 +1,46 @@
+    //
+    // Created by Administrator on 2020/10/12.
+    //
+    // Copyright 2019 The Alcor Authors.
+    //
+    // Licensed under the Apache License, Version 2.0 (the "License");
+    // you may not use this file except in compliance with the License.
+    // You may obtain a copy of the License at
+    //
+    //     http://www.apache.org/licenses/LICENSE-2.0
+    //
+    // Unless required by applicable law or agreed to in writing, software
+    // distributed under the License is distributed on an "AS IS" BASIS,
+    // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    // See the License for the specific language governing permissions and
+    // limitations under the License.
+    #ifndef ALCOR_CONTROL_AGENT_SECURITY_GROUP_MANAGER_H
+    #define ALCOR_CONTROL_AGENT_SECURITY_GROUP_MANAGER_H
+    #include "aca_security_group.h"
+    namespace aca_security_group {
+    class Aca_Security_Group_Manager {
+    public:
+        static Aca_Security_Group_Manager &get_instance();
+        int create_security_group_rule(Aca_Port &port, Aca_Security_Group &sg, Aca_Security_Group_Rule &sg_rule);
+    	int update_security_group_rule(Aca_Port &port, Aca_Security_Group &sg, Aca_Security_Group_Rule &sg_rule);
+    	int delete_security_group_rule(Aca_Port &port, Aca_Security_Group &sg, Aca_Security_Group_Rule &sg_rule);
+    	int create_security_group(Aca_Port &input_port, Aca_Security_Group &input_sg);
+    	int update_security_group(Aca_Port &input_port, Aca_Security_Group &input_sg);
+    	int delete_security_group(Aca_Port &input_port, Aca_Security_Group &input_sg);
+    	map<string, Aca_Port *> &get_ports(void);
+    	map<string, Aca_Security_Group *> &get_security_groups(void);
+    private:
+    	int set_remote_group(Aca_Security_Group_Rule &sg_rule);
+    	map<string, Aca_Port *> ports;
+    	map<string, Aca_Security_Group *> security_groups;
+    };
+    }
+    #endif //ALCOR_CONTROL_AGENT_SECURITY_GROUP_MANAGER_H

-Original file line number
+Diff line change
@@ -0,0 +1,83 @@
+    //
+    // Created by Administrator on 2020/10/12.
+    //
+    // Copyright 2019 The Alcor Authors.
+    //
+    // Licensed under the Apache License, Version 2.0 (the "License");
+    // you may not use this file except in compliance with the License.
+    // You may obtain a copy of the License at
+    //
+    //     http://www.apache.org/licenses/LICENSE-2.0
+    //
+    // Unless required by applicable law or agreed to in writing, software
+    // distributed under the License is distributed on an "AS IS" BASIS,
+    // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    // See the License for the specific language governing permissions and
+    // limitations under the License.
+    #ifndef ALCOR_CONTROL_AGENT_SECURITY_GROUP_OVS_H
+    #define ALCOR_CONTROL_AGENT_SECURITY_GROUP_OVS_H
+    #include "aca_security_group.h"
+    namespace aca_security_group {
+    #define TRANSIENT_TABLE 60
+    #define BASE_EGRESS_TABLE 71
+    #define RULES_EGRESS_TABLE 72
+    #define ACCEPT_OR_INGRESS_TABLE 73
+    #define BASE_INGRESS_TABLE 81
+    #define RULES_INGRESS_TABLE 82
+    #define ACCEPTED_EGRESS_TRAFFIC_TABLE 91
+    #define ACCEPTED_INGRESS_TRAFFIC_TABLE 92
+    #define DROPPED_TRAFFIC_TABLE 93
+    #define ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE 94
+    #define ETHERTYPE_IP  0x0800
+    #define ETHERTYPE_ARP 0x0806
+    #define ETHERTYPE_IPV6 0x86dd
+    #define PROTO_NUM_ICMP 1
+    #define PROTO_NUM_TCP 6
+    #define PROTO_NUM_UDP 17
+    #define REG_PORT 5
+    #define REG_NET 6
+    #define BR_INT "br-int"
+    #define BR_TUN "br-tun"
+    #define FLOW_PRIORITY_BASE 70
+    class Aca_Security_Group_Ovs {
+    public:
+        static Aca_Security_Group_Ovs &get_instance();
+    	void init_port_flows(Aca_Port &port);
+    	void clear_port_flows(Aca_Port &port);
+    	int create_port_security_group_rule(Aca_Port &port,
+                                                        Aca_Security_Group_Rule &sg_rule);
+        int update_port_security_group_rule(Aca_Port &port, Aca_Security_Group_Rule &new_sg_rule, Aca_Security_Group_Rule &old_sg_rule);
+    	int delete_port_security_group_rule(Aca_Port &port, Aca_Security_Group_Rule &sg_rule);
+    private:
+    	int get_vlan_by_segment_id(const int segment_id);
+        void init_port_egress_flows(Aca_Port &port);
+        void init_port_ingress_flows(const Aca_Port &port);
+        int flow_priority_offset(Aca_Security_Group_Rule &sg_rule, bool conjunction);
+        int get_dl_type_by_ether_type(uint32_t ether_type);
+        string get_nw_proto_by_protocol(uint32_t protocol);
+    	int get_remote_group_conj_id(Aca_Security_Group_Rule &sg_rule);
+        int build_flows_by_sg_rule(Aca_Port &port,Aca_Security_Group_Rule &sg_rule, bool del_flow, vector<string> &flows);
+    	int build_conjunction_flows(Aca_Port &port, Aca_Security_Group_Rule &sg_rule, vector<string> &flows);
+    	int get_remote_group_ips(Aca_Security_Group *remote_group, vector<string> &remote_ips);
+    	int build_flows_by_remote_ip(Aca_Port &port, Aca_Security_Group_Rule &sg_rule, string remote_ip, int conj_id, vector<string> &flows);
+    	int build_flow_match_fileds(Aca_Port &port, Aca_Security_Group_Rule &sg_rule, bool del_flow, vector<string> &flows);
+    	int add_conjunction_actions(string _flow, int conj_id, int dimension, vector<string> &flows);
+    	int build_accept_flows(Aca_Port &port,Aca_Security_Group_Rule &sg_rule, int conj_id, vector<string> &flows);
+    	uint64_t conj_id_base;
+    	map<string, uint64_t> conj_ids;
+    };
+    }
+    #endif //ALCOR_CONTROL_AGENT_SECURITY_GROUP_OVS_H

-Original file line number
+Diff line change
@@ -0,0 +1,45 @@
+    //
+    // Created by Administrator on 2020/10/12.
+    //
+    // Copyright 2019 The Alcor Authors.
+    //
+    // Licensed under the Apache License, Version 2.0 (the "License");
+    // you may not use this file except in compliance with the License.
+    // You may obtain a copy of the License at
+    //
+    //     http://www.apache.org/licenses/LICENSE-2.0
+    //
+    // Unless required by applicable law or agreed to in writing, software
+    // distributed under the License is distributed on an "AS IS" BASIS,
+    // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    // See the License for the specific language governing permissions and
+    // limitations under the License.
+    #ifndef ALCOR_CONTROL_AGENT_ACA_SG_STATE_HANDLER_H
+    #define ALCOR_CONTROL_AGENT_ACA_SG_STATE_HANDLER_H
+    #include "aca_security_group.h"
+    #include "goalstateprovisioner.grpc.pb.h"
+    namespace aca_security_group
+    {
+    class Aca_Sg_State_Handler {
+    public:
+        static Aca_Sg_State_Handler &get_instance();
+        int update_security_group_states(const alcor::schema::GoalState &goal_state,
+                             alcor::schema::GoalStateOperationReply &reply);
+    private:
+        // constructor and destructor marked as private so that noone can call it
+        // for the singleton implementation
+        Aca_Sg_State_Handler();
+        ~Aca_Sg_State_Handler();
+    	Aca_Port * parse_port_state(const alcor::schema::PortState &port_state);
+        void parse_security_group_states(const alcor::schema::GoalState &goal_state, std::map<string, Aca_Security_Group *> &sg_state_map);
+    	OperationType get_operation_type(alcor::schema::OperationType operation_type);
+    	Direction get_direction(alcor::schema::SecurityGroupConfiguration::Direction direction);
+    	Ethertype get_ethertype(alcor::schema::EtherType ethertype);
+    	Protocol get_protocol(alcor::schema::Protocol protocol);
+     	int handle_port_security_group(Aca_Port &aca_port, Aca_Security_Group &aca_sg);
+    };
+    }
+    #endif //ALCOR_CONTROL_AGENT_ACA_SG_STATE_HANDLER_H

-Original file line number
+Diff line change
@@ -1,5 +1,7 @@
     set(EXECUTABLE_OUTPUT_PATH ${CMAKE_CURRENT_SOURCE_DIR}/../build/bin)
+    add_definitions("-O0 -g")
     set(SOURCES
         ./comm/aca_message_producer.cpp
         ./comm/aca_message_consumer.cpp
@@ Expand All / @@ -15,8 +17,12 @@ set(SOURCES @@
         ./ovs/aca_ovs_control.cpp
         ./dhcp/aca_dhcp_state_handler.cpp
         ./dhcp/aca_dhcp_server.cpp
+    	./sg/aca_sg_state_handler.cpp
+    	./sg/aca_security_group.cpp
+    	./sg/aca_security_group_manager.cpp
+    	./sg/aca_security_group_ovs.cpp
     )
-    FIND_LIBRARY(RDKAFKA rdkafka /usr/lib/x86_64-linux-gnu NO_DEFAULT_PATH)
+    FIND_LIBRARY(RDKAFKA rdkafka /usr/lib/x86_64-linux-gnu /usr/local/lib NO_DEFAULT_PATH) #for centos
     FIND_LIBRARY(CPPKAFKA cppkafka /usr/local/lib NO_DEFAULT_PATH)
     FIND_LIBRARY(OPENVSWITCH openvswitch /usr/local/lib NO_DEFAULT_PATH)
     FIND_LIBRARY(MESSAGEMANAGER messagemanager ${CMAKE_CURRENT_SOURCE_DIR}/../include NO_DEFAULT_PATH)
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PR for Security group for early feedback #156

Uh oh!

Diff view

Diff view

There are no files selected for viewing

er1cthe0ne Oct 26, 2020

Uh oh!

er1cthe0ne Oct 26, 2020

Uh oh!

Uh oh!

PR for Security group for early feedback #156

Are you sure you want to change the base?

Uh oh!

PR for Security group for early feedback #156

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

er1cthe0ne Oct 26, 2020

Choose a reason for hiding this comment

Uh oh!

er1cthe0ne Oct 26, 2020

Choose a reason for hiding this comment

Uh oh!

Uh oh!