faucet.acl module¶
Configuration for ACLs.
-
class
faucet.acl.
ACL
(_id, dp_id, conf)[source]¶ Bases:
faucet.conf.Conf
Contains the state for an ACL, including the configuration.
ACL Config
ACLs are configured under the ‘acls’ configuration block. The acls block contains a dictionary of individual acls each keyed by its name.
Each acl contains a list of rules, a packet will have the first matching rule applied to it.
Each rule is a dictionary containing the single key ‘rule’ with the value the matches and actions for the rule.
The matches are key/values based on the ryu RESTFul API. The key ‘actions’ contains a dictionary with keys/values as follows:
allow (int): if 1 allow the packet to continue through the Faucet pipeline, if 0 drop the packet.
force_port_vlan (int): if 1, do not verify the VLAN/port association for this packet and override any VLAN ACL on the forced VLAN.
meter (str): meter to apply to the packet
output (dict): used to output a packet directly. details below.
cookie (int): set flow cookie to this value on this flow
The output action contains a dictionary with the following elements:
tunnel (dict): the tunnel formation, creates a tunnel from the applied port(s) to the specified destination
port (int or string): the port to output the packet to
ports (list): a list of the ports (int or string) to output the packet to
set_fields (list): a list of fields to set with values
pop_vlans: (int): pop the packet vlan before outputting
vlan_vid: (int): push the vlan vid on the packet when outputting
vlan_vids: (list): push the list of vlans on the packet when outputting, with option eth_type
swap_vid (int): rewrite the vlan vid of the packet when outputting
failover (dict): Output with a failover port (experimental)
-
actions_types
= {'allow': <class 'int'>, 'force_port_vlan': <class 'int'>, 'meter': <class 'str'>, 'mirror': (<class 'str'>, <class 'int'>), 'output': <class 'dict'>}¶
-
defaults
= {'exact_match': False, 'rules': None}¶
-
defaults_types
= {'exact_match': <class 'bool'>, 'rules': <class 'list'>}¶
-
get_in_port_match
(tunnel_id)[source]¶ Returns a port number of the src_port of the tunnel that the ingress tunnel ACL will need to match to. :param tunnel_id: tunnel identifier to obtain the src_port :type tunnel_id: int
- Returns
src_port number if it exists, None otherwise
- Return type
int OR None
-
get_tunnel_id
(rule_index)[source]¶ Gets the tunnel ID for the rule :param rule_index: Index of the tunnel rule in the self.rules list :type rule_index: int
- Returns
Identifier for the tunnel
- Return type
tunnel_id (int)
-
get_tunnel_rule_indices
()[source]¶ Get the rules from the rule conf that contain tunnel outputs :returns: list of integer indices into the self.rules rule list that contain tunnel information :rtype: rules (list)
-
output_actions_types
= {'failover': <class 'dict'>, 'pop_vlans': <class 'int'>, 'port': (<class 'str'>, <class 'int'>), 'ports': <class 'list'>, 'set_fields': <class 'list'>, 'swap_vid': <class 'int'>, 'tunnel': <class 'dict'>, 'vlan_vid': <class 'int'>, 'vlan_vids': <class 'list'>}¶
-
remove_non_tunnel_rules
()[source]¶ Removes all non-tunnel rules from the ACL and removes all match fields and non-tunnel required actions from the tunnel rules
-
rule_types
= {'actions': <class 'dict'>, 'arp_op': (<class 'str'>, <class 'int'>), 'arp_sha': (<class 'str'>, <class 'int'>), 'arp_spa': (<class 'str'>, <class 'int'>), 'arp_tha': (<class 'str'>, <class 'int'>), 'arp_tpa': (<class 'str'>, <class 'int'>), 'cookie': <class 'int'>, 'description': <class 'str'>, 'dl_dst': (<class 'str'>, <class 'int'>), 'dl_src': (<class 'str'>, <class 'int'>), 'dl_type': (<class 'str'>, <class 'int'>), 'dl_vlan': (<class 'str'>, <class 'int'>), 'eth_dst': (<class 'str'>, <class 'int'>), 'eth_src': (<class 'str'>, <class 'int'>), 'eth_type': (<class 'str'>, <class 'int'>), 'icmpv4_code': (<class 'str'>, <class 'int'>), 'icmpv4_type': (<class 'str'>, <class 'int'>), 'icmpv6_code': (<class 'str'>, <class 'int'>), 'icmpv6_type': (<class 'str'>, <class 'int'>), 'in_phy_port': (<class 'str'>, <class 'int'>), 'in_port': (<class 'str'>, <class 'int'>), 'ip_dscp': (<class 'str'>, <class 'int'>), 'ip_ecn': (<class 'str'>, <class 'int'>), 'ip_proto': (<class 'str'>, <class 'int'>), 'ipv4_dst': (<class 'str'>, <class 'int'>), 'ipv4_src': (<class 'str'>, <class 'int'>), 'ipv6_dst': (<class 'str'>, <class 'int'>), 'ipv6_exthdr': (<class 'str'>, <class 'int'>), 'ipv6_flabel': (<class 'str'>, <class 'int'>), 'ipv6_nd_sll': (<class 'str'>, <class 'int'>), 'ipv6_nd_target': (<class 'str'>, <class 'int'>), 'ipv6_nd_tll': (<class 'str'>, <class 'int'>), 'ipv6_src': (<class 'str'>, <class 'int'>), 'metadata': (<class 'str'>, <class 'int'>), 'mpls_bos': (<class 'str'>, <class 'int'>), 'mpls_label': (<class 'str'>, <class 'int'>), 'mpls_tc': (<class 'str'>, <class 'int'>), 'nw_dst': (<class 'str'>, <class 'int'>), 'nw_proto': (<class 'str'>, <class 'int'>), 'nw_src': (<class 'str'>, <class 'int'>), 'pbb_isid': (<class 'str'>, <class 'int'>), 'sctp_dst': (<class 'str'>, <class 'int'>), 'sctp_src': (<class 'str'>, <class 'int'>), 'tcp_dst': (<class 'str'>, <class 'int'>), 'tcp_src': (<class 'str'>, <class 'int'>), 'tunnel_id': (<class 'str'>, <class 'int'>), 'udp_dst': (<class 'str'>, <class 'int'>), 'udp_src': (<class 'str'>, <class 'int'>), 'vlan_pcp': (<class 'str'>, <class 'int'>), 'vlan_vid': (<class 'str'>, <class 'int'>)}¶
-
tunnel_types
= {'dp': <class 'str'>, 'port': (<class 'str'>, <class 'int'>), 'tunnel_id': (<class 'str'>, <class 'int'>), 'type': <class 'str'>}¶
-
unpack_tunnel
(tunnel_id)[source]¶ Retrieves the information from the tunnel dict for the tunnel with id :param tunnel_id: Identifier for the tunnel :type tunnel_id: int
- Returns
Tunnel information
- Return type
(src_dp, src_port, dst_dp, dst_port)
-
update_tunnel_acl_conf
(dp)[source]¶ Update the ACL rule conf if the DP is in the path :param dp: The dp that this tunnel acl object belongs to :type dp: DP
- Returns
True if any value was updated
- Return type
bool
-
verify_tunnel_rules
(dp)[source]¶ Verify the actions in the tunnel ACL to by making sure the user hasn’t specified an action/match that will create a clash. :param dp: The dp that this tunnel acl object belongs to :type dp: DP
TODO: Choose what combinations of matches & actions to disallow with a tunnel