faucet.acl module

Configuration for ACLs.

class faucet.acl.ACL(_id, dp_id, conf)[source]

Bases: Conf

Contains the state for an ACL, including the configuration.

ACL Config

ACLs are configured under the ‘acls’ configuration block. The acls block contains a dictionary of individual acls each keyed by its name.

Each acl contains a list of rules, a packet will have the first matching rule applied to it.

Each rule is a dictionary containing the single key ‘rule’ with the value the matches and actions for the rule.

The matches are key/values based on the ryu RESTFul API. The key ‘actions’ contains a dictionary with keys/values as follows:

  • allow (int): if 1 allow the packet to continue through the Faucet pipeline, if 0 drop the packet.

  • force_port_vlan (int): if 1, do not verify the VLAN/port association for this packet and override any VLAN ACL on the forced VLAN.

  • meter (str): meter to apply to the packet

  • output (dict): used to output a packet directly. details below.

  • cookie (int): set flow cookie to this value on this flow

The output action contains a dictionary with the following elements:

  • tunnel (dict): the tunnel formation, creates a tunnel from the applied port(s) to the specified destination

  • port (int or string): the port to output the packet to

  • ports (list): a list of the ports (int or string) to output the packet to

  • set_fields (list): a list of fields to set with values

  • pop_vlans: (int): pop the packet vlan before outputting

  • vlan_vid: (int): push the vlan vid on the packet when outputting

  • vlan_vids: (list): push the list of vlans on the packet when outputting, with option eth_type

  • swap_vid (int): rewrite the vlan vid of the packet when outputting

  • failover (dict): Output with a failover port (experimental)

actions_types = {'allow': <class 'int'>, 'ct': <class 'dict'>, 'force_port_vlan': <class 'int'>, 'meter': <class 'str'>, 'mirror': (<class 'str'>, <class 'int'>), 'output': (<class 'dict'>, <class 'list'>)}
add_tunnel_source(dp_name, port, reverse=False, bi_directional=False)[source]

Add a source dp/port pair for the tunnel ACL

build(meters, vid, port_num)[source]

Check that ACL can be built from config.


Check config at instantiation time for errors, typically via assert.

ct_action_nat_types = {'flags': <class 'int'>, 'range_ipv4_max': <class 'str'>, 'range_ipv4_min': <class 'str'>, 'range_ipv6_max': <class 'str'>, 'range_ipv6_min': <class 'str'>, 'range_proto_max': <class 'int'>, 'range_proto_min': <class 'int'>}
ct_action_types = {'alg': <class 'int'>, 'clear': <class 'bool'>, 'flags': <class 'int'>, 'nat': <class 'dict'>, 'table': <class 'int'>, 'zone': <class 'int'>, 'zone_src': <class 'int'>}
defaults: dict = {'dot1x_assigned': False, 'exact_match': False, 'rules': None}
defaults_types: dict = {'dot1x_assigned': <class 'bool'>, 'exact_match': <class 'bool'>, 'rules': <class 'list'>}
static does_rule_contain_tunnel(rule_conf)[source]

Return true if the ACL rule contains a tunnel


Configuration parsing marked complete.


Yield meters for each rule in ACL


Yield mirror destinations for each rule in ACL


Returns the number of tunnels specified in the ACL


Return the list of rules that apply a specific tunnel ID


Return true if the ACL contains a tunnel

mutable_attrs: frozenset = frozenset({'tunnel_sources'})
output_actions_types = {'failover': <class 'dict'>, 'pop_vlans': <class 'int'>, 'port': (<class 'str'>, <class 'int'>), 'ports': <class 'list'>, 'set_fields': <class 'list'>, 'swap_vid': <class 'int'>, 'tunnel': <class 'dict'>, 'vlan_vid': <class 'int'>, 'vlan_vids': <class 'list'>}

Returns true if the tunnel requires a reverse pathway

resolve_ports(resolve_port_cb, resolve_tunnel_objects)[source]

Resolve the values for the actions of an ACL

rule_types = {'actions': <class 'dict'>, 'arp_op': (<class 'str'>, <class 'int'>), 'arp_sha': (<class 'str'>, <class 'int'>), 'arp_spa': (<class 'str'>, <class 'int'>), 'arp_tha': (<class 'str'>, <class 'int'>), 'arp_tpa': (<class 'str'>, <class 'int'>), 'cookie': <class 'int'>, 'ct_label': (<class 'str'>, <class 'int'>), 'ct_mark': (<class 'str'>, <class 'int'>), 'ct_state': (<class 'str'>, <class 'int'>), 'ct_zone': (<class 'str'>, <class 'int'>), 'description': <class 'str'>, 'dl_dst': (<class 'str'>, <class 'int'>), 'dl_src': (<class 'str'>, <class 'int'>), 'dl_type': (<class 'str'>, <class 'int'>), 'dl_vlan': (<class 'str'>, <class 'int'>), 'eth_dst': (<class 'str'>, <class 'int'>), 'eth_src': (<class 'str'>, <class 'int'>), 'eth_type': (<class 'str'>, <class 'int'>), 'eth_type_nxm': (<class 'str'>, <class 'int'>), 'icmpv4_code': (<class 'str'>, <class 'int'>), 'icmpv4_type': (<class 'str'>, <class 'int'>), 'icmpv6_code': (<class 'str'>, <class 'int'>), 'icmpv6_type': (<class 'str'>, <class 'int'>), 'in_phy_port': (<class 'str'>, <class 'int'>), 'in_port': (<class 'str'>, <class 'int'>), 'ip_dscp': (<class 'str'>, <class 'int'>), 'ip_ecn': (<class 'str'>, <class 'int'>), 'ip_proto': (<class 'str'>, <class 'int'>), 'ip_proto_nxm': (<class 'str'>, <class 'int'>), 'ipv4_dst': (<class 'str'>, <class 'int'>), 'ipv4_src': (<class 'str'>, <class 'int'>), 'ipv6_dst': (<class 'str'>, <class 'int'>), 'ipv6_exthdr': (<class 'str'>, <class 'int'>), 'ipv6_flabel': (<class 'str'>, <class 'int'>), 'ipv6_nd_sll': (<class 'str'>, <class 'int'>), 'ipv6_nd_target': (<class 'str'>, <class 'int'>), 'ipv6_nd_tll': (<class 'str'>, <class 'int'>), 'ipv6_src': (<class 'str'>, <class 'int'>), 'metadata': (<class 'str'>, <class 'int'>), 'mpls_bos': (<class 'str'>, <class 'int'>), 'mpls_label': (<class 'str'>, <class 'int'>), 'mpls_tc': (<class 'str'>, <class 'int'>), 'nw_dst': (<class 'str'>, <class 'int'>), 'nw_proto': (<class 'str'>, <class 'int'>), 'nw_src': (<class 'str'>, <class 'int'>), 'nw_ttl': (<class 'str'>, <class 'int'>), 'pbb_isid': (<class 'str'>, <class 'int'>), 'sctp_dst': (<class 'str'>, <class 'int'>), 'sctp_src': (<class 'str'>, <class 'int'>), 'tcp_dst': (<class 'str'>, <class 'int'>), 'tcp_src': (<class 'str'>, <class 'int'>), 'tunnel_id': (<class 'str'>, <class 'int'>), 'udp_dst': (<class 'str'>, <class 'int'>), 'udp_src': (<class 'str'>, <class 'int'>), 'vlan_pcp': (<class 'str'>, <class 'int'>), 'vlan_vid': (<class 'str'>, <class 'int'>)}
tunnel_types = {'bi_directional': <class 'bool'>, 'dp': <class 'str'>, 'exit_instructions': (<class 'list'>, None), 'maintain_encapsulation': <class 'bool'>, 'port': (<class 'str'>, <class 'int'>, None), 'reverse': <class 'bool'>, 'tunnel_id': (<class 'str'>, <class 'int'>, None), 'type': (<class 'str'>, None)}
update_reverse_tunnel_rules(curr_dp, source_id, tunnel_id, out_port, output_table)[source]

Update the tunnel rulelist for when the output port has changed (reverse direction)

update_source_tunnel_rules(curr_dp, source_id, tunnel_id, out_port, output_table)[source]

Update the tunnel rulelist for when the output port has changed


Make sure that matches & set fields are configured correctly to handle tunnels