faucet.acl module
Configuration for ACLs.
- class faucet.acl.ACL(_id, dp_id, conf)[source]
Bases:
Conf
Contains the state for an ACL, including the configuration.
ACL Config
ACLs are configured under the ‘acls’ configuration block. The acls block contains a dictionary of individual acls each keyed by its name.
Each acl contains a list of rules, a packet will have the first matching rule applied to it.
Each rule is a dictionary containing the single key ‘rule’ with the value the matches and actions for the rule.
The matches are key/values based on the ryu RESTFul API. The key ‘actions’ contains a dictionary with keys/values as follows:
allow (int): if 1 allow the packet to continue through the Faucet pipeline, if 0 drop the packet.
force_port_vlan (int): if 1, do not verify the VLAN/port association for this packet and override any VLAN ACL on the forced VLAN.
meter (str): meter to apply to the packet
output (dict): used to output a packet directly. details below.
cookie (int): set flow cookie to this value on this flow
The output action contains a dictionary with the following elements:
tunnel (dict): the tunnel formation, creates a tunnel from the applied port(s) to the specified destination
port (int or string): the port to output the packet to
ports (list): a list of the ports (int or string) to output the packet to
set_fields (list): a list of fields to set with values
pop_vlans: (int): pop the packet vlan before outputting
vlan_vid: (int): push the vlan vid on the packet when outputting
vlan_vids: (list): push the list of vlans on the packet when outputting, with option eth_type
swap_vid (int): rewrite the vlan vid of the packet when outputting
failover (dict): Output with a failover port (experimental)
- actions_types = {'allow': <class 'int'>, 'ct': <class 'dict'>, 'force_port_vlan': <class 'int'>, 'meter': <class 'str'>, 'mirror': (<class 'str'>, <class 'int'>), 'output': (<class 'dict'>, <class 'list'>)}
- add_tunnel_source(dp_name, port, reverse=False, bi_directional=False)[source]
Add a source dp/port pair for the tunnel ACL
- ct_action_nat_types = {'flags': <class 'int'>, 'range_ipv4_max': <class 'str'>, 'range_ipv4_min': <class 'str'>, 'range_ipv6_max': <class 'str'>, 'range_ipv6_min': <class 'str'>, 'range_proto_max': <class 'int'>, 'range_proto_min': <class 'int'>}
- ct_action_types = {'alg': <class 'int'>, 'clear': <class 'bool'>, 'flags': <class 'int'>, 'nat': <class 'dict'>, 'table': <class 'int'>, 'zone': <class 'int'>, 'zone_src': <class 'int'>}
- defaults: dict = {'dot1x_assigned': False, 'exact_match': False, 'rules': None}
- defaults_types: dict = {'dot1x_assigned': <class 'bool'>, 'exact_match': <class 'bool'>, 'rules': <class 'list'>}
- mutable_attrs: frozenset = frozenset({'tunnel_sources'})
- output_actions_types = {'failover': <class 'dict'>, 'pop_vlans': <class 'int'>, 'port': (<class 'str'>, <class 'int'>), 'ports': <class 'list'>, 'set_fields': <class 'list'>, 'swap_vid': <class 'int'>, 'tunnel': <class 'dict'>, 'vlan_vid': <class 'int'>, 'vlan_vids': <class 'list'>}
- resolve_ports(resolve_port_cb, resolve_tunnel_objects)[source]
Resolve the values for the actions of an ACL
- rule_types = {'actions': <class 'dict'>, 'arp_op': (<class 'str'>, <class 'int'>), 'arp_sha': (<class 'str'>, <class 'int'>), 'arp_spa': (<class 'str'>, <class 'int'>), 'arp_tha': (<class 'str'>, <class 'int'>), 'arp_tpa': (<class 'str'>, <class 'int'>), 'cookie': <class 'int'>, 'ct_label': (<class 'str'>, <class 'int'>), 'ct_mark': (<class 'str'>, <class 'int'>), 'ct_state': (<class 'str'>, <class 'int'>), 'ct_zone': (<class 'str'>, <class 'int'>), 'description': <class 'str'>, 'dl_dst': (<class 'str'>, <class 'int'>), 'dl_src': (<class 'str'>, <class 'int'>), 'dl_type': (<class 'str'>, <class 'int'>), 'dl_vlan': (<class 'str'>, <class 'int'>), 'eth_dst': (<class 'str'>, <class 'int'>), 'eth_src': (<class 'str'>, <class 'int'>), 'eth_type': (<class 'str'>, <class 'int'>), 'eth_type_nxm': (<class 'str'>, <class 'int'>), 'icmpv4_code': (<class 'str'>, <class 'int'>), 'icmpv4_type': (<class 'str'>, <class 'int'>), 'icmpv6_code': (<class 'str'>, <class 'int'>), 'icmpv6_type': (<class 'str'>, <class 'int'>), 'in_phy_port': (<class 'str'>, <class 'int'>), 'in_port': (<class 'str'>, <class 'int'>), 'ip_dscp': (<class 'str'>, <class 'int'>), 'ip_ecn': (<class 'str'>, <class 'int'>), 'ip_proto': (<class 'str'>, <class 'int'>), 'ip_proto_nxm': (<class 'str'>, <class 'int'>), 'ipv4_dst': (<class 'str'>, <class 'int'>), 'ipv4_src': (<class 'str'>, <class 'int'>), 'ipv6_dst': (<class 'str'>, <class 'int'>), 'ipv6_exthdr': (<class 'str'>, <class 'int'>), 'ipv6_flabel': (<class 'str'>, <class 'int'>), 'ipv6_nd_sll': (<class 'str'>, <class 'int'>), 'ipv6_nd_target': (<class 'str'>, <class 'int'>), 'ipv6_nd_tll': (<class 'str'>, <class 'int'>), 'ipv6_src': (<class 'str'>, <class 'int'>), 'metadata': (<class 'str'>, <class 'int'>), 'mpls_bos': (<class 'str'>, <class 'int'>), 'mpls_label': (<class 'str'>, <class 'int'>), 'mpls_tc': (<class 'str'>, <class 'int'>), 'nw_dst': (<class 'str'>, <class 'int'>), 'nw_proto': (<class 'str'>, <class 'int'>), 'nw_src': (<class 'str'>, <class 'int'>), 'nw_ttl': (<class 'str'>, <class 'int'>), 'pbb_isid': (<class 'str'>, <class 'int'>), 'sctp_dst': (<class 'str'>, <class 'int'>), 'sctp_src': (<class 'str'>, <class 'int'>), 'tcp_dst': (<class 'str'>, <class 'int'>), 'tcp_src': (<class 'str'>, <class 'int'>), 'tunnel_id': (<class 'str'>, <class 'int'>), 'udp_dst': (<class 'str'>, <class 'int'>), 'udp_src': (<class 'str'>, <class 'int'>), 'vlan_pcp': (<class 'str'>, <class 'int'>), 'vlan_vid': (<class 'str'>, <class 'int'>)}
- tunnel_types = {'bi_directional': <class 'bool'>, 'dp': <class 'str'>, 'exit_instructions': (<class 'list'>, None), 'maintain_encapsulation': <class 'bool'>, 'port': (<class 'str'>, <class 'int'>, None), 'reverse': <class 'bool'>, 'tunnel_id': (<class 'str'>, <class 'int'>, None), 'type': (<class 'str'>, None)}
- update_reverse_tunnel_rules(curr_dp, source_id, tunnel_id, out_port, output_table)[source]
Update the tunnel rulelist for when the output port has changed (reverse direction)