faucet.acl module

Configuration for ACLs.

class faucet.acl.ACL(_id, dp_id, conf)[source]

Bases: Conf

Contains the state for an ACL, including the configuration.

ACL Config

ACLs are configured under the ‘acls’ configuration block. The acls block contains a dictionary of individual acls each keyed by its name.

Each acl contains a list of rules, a packet will have the first matching rule applied to it.

Each rule is a dictionary containing the single key ‘rule’ with the value the matches and actions for the rule.

The matches are key/values based on the ryu RESTFul API. The key ‘actions’ contains a dictionary with keys/values as follows:

  • allow (int): if 1 allow the packet to continue through the Faucet pipeline, if 0 drop the packet.

  • force_port_vlan (int): if 1, do not verify the VLAN/port association for this packet and override any VLAN ACL on the forced VLAN.

  • meter (str): meter to apply to the packet

  • output (dict): used to output a packet directly. details below.

  • cookie (int): set flow cookie to this value on this flow

The output action contains a dictionary with the following elements:

  • tunnel (dict): the tunnel formation, creates a tunnel from the applied port(s) to the specified destination

  • port (int or string): the port to output the packet to

  • ports (list): a list of the ports (int or string) to output the packet to

  • set_fields (list): a list of fields to set with values

  • pop_vlans: (int): pop the packet vlan before outputting

  • vlan_vid: (int): push the vlan vid on the packet when outputting

  • vlan_vids: (list): push the list of vlans on the packet when outputting, with option eth_type

  • swap_vid (int): rewrite the vlan vid of the packet when outputting

  • failover (dict): Output with a failover port (experimental)

actions_types = {'allow': <class 'int'>, 'ct': <class 'dict'>, 'force_port_vlan': <class 'int'>, 'meter': <class 'str'>, 'mirror': (<class 'str'>, <class 'int'>), 'output': (<class 'dict'>, <class 'list'>)}
add_tunnel_source(dp_name, port, reverse=False, bi_directional=False)[source]

Add a source dp/port pair for the tunnel ACL

build(meters, vid, port_num)[source]

Check that ACL can be built from config.

check_config()[source]

Check config at instantiation time for errors, typically via assert.

ct_action_nat_types = {'flags': <class 'int'>, 'range_ipv4_max': <class 'str'>, 'range_ipv4_min': <class 'str'>, 'range_ipv6_max': <class 'str'>, 'range_ipv6_min': <class 'str'>, 'range_proto_max': <class 'int'>, 'range_proto_min': <class 'int'>}
ct_action_types = {'alg': <class 'int'>, 'clear': <class 'bool'>, 'flags': <class 'int'>, 'nat': <class 'dict'>, 'table': <class 'int'>, 'zone': <class 'int'>, 'zone_src': <class 'int'>}
defaults: dict = {'dot1x_assigned': False, 'exact_match': False, 'rules': None}
defaults_types: dict = {'dot1x_assigned': <class 'bool'>, 'exact_match': <class 'bool'>, 'rules': <class 'list'>}
static does_rule_contain_tunnel(rule_conf)[source]

Return true if the ACL rule contains a tunnel

finalize()[source]

Configuration parsing marked complete.

get_meters()[source]

Yield meters for each rule in ACL

get_mirror_destinations()[source]

Yield mirror destinations for each rule in ACL

get_num_tunnels()[source]

Returns the number of tunnels specified in the ACL

get_tunnel_rules(tunnel_id)[source]

Return the list of rules that apply a specific tunnel ID

is_tunnel_acl()[source]

Return true if the ACL contains a tunnel

mutable_attrs: frozenset = frozenset({'tunnel_sources'})
output_actions_types = {'failover': <class 'dict'>, 'pop_vlans': <class 'int'>, 'port': (<class 'str'>, <class 'int'>), 'ports': <class 'list'>, 'set_fields': <class 'list'>, 'swap_vid': <class 'int'>, 'tunnel': <class 'dict'>, 'vlan_vid': <class 'int'>, 'vlan_vids': <class 'list'>}
requires_reverse_tunnel(tunnel_id)[source]

Returns true if the tunnel requires a reverse pathway

resolve_ports(resolve_port_cb, resolve_tunnel_objects)[source]

Resolve the values for the actions of an ACL

rule_types = {'actions': <class 'dict'>, 'arp_op': (<class 'str'>, <class 'int'>), 'arp_sha': (<class 'str'>, <class 'int'>), 'arp_spa': (<class 'str'>, <class 'int'>), 'arp_tha': (<class 'str'>, <class 'int'>), 'arp_tpa': (<class 'str'>, <class 'int'>), 'cookie': <class 'int'>, 'ct_label': (<class 'str'>, <class 'int'>), 'ct_mark': (<class 'str'>, <class 'int'>), 'ct_state': (<class 'str'>, <class 'int'>), 'ct_zone': (<class 'str'>, <class 'int'>), 'description': <class 'str'>, 'dl_dst': (<class 'str'>, <class 'int'>), 'dl_src': (<class 'str'>, <class 'int'>), 'dl_type': (<class 'str'>, <class 'int'>), 'dl_vlan': (<class 'str'>, <class 'int'>), 'eth_dst': (<class 'str'>, <class 'int'>), 'eth_src': (<class 'str'>, <class 'int'>), 'eth_type': (<class 'str'>, <class 'int'>), 'eth_type_nxm': (<class 'str'>, <class 'int'>), 'icmpv4_code': (<class 'str'>, <class 'int'>), 'icmpv4_type': (<class 'str'>, <class 'int'>), 'icmpv6_code': (<class 'str'>, <class 'int'>), 'icmpv6_type': (<class 'str'>, <class 'int'>), 'in_phy_port': (<class 'str'>, <class 'int'>), 'in_port': (<class 'str'>, <class 'int'>), 'ip_dscp': (<class 'str'>, <class 'int'>), 'ip_ecn': (<class 'str'>, <class 'int'>), 'ip_proto': (<class 'str'>, <class 'int'>), 'ip_proto_nxm': (<class 'str'>, <class 'int'>), 'ipv4_dst': (<class 'str'>, <class 'int'>), 'ipv4_src': (<class 'str'>, <class 'int'>), 'ipv6_dst': (<class 'str'>, <class 'int'>), 'ipv6_exthdr': (<class 'str'>, <class 'int'>), 'ipv6_flabel': (<class 'str'>, <class 'int'>), 'ipv6_nd_sll': (<class 'str'>, <class 'int'>), 'ipv6_nd_target': (<class 'str'>, <class 'int'>), 'ipv6_nd_tll': (<class 'str'>, <class 'int'>), 'ipv6_src': (<class 'str'>, <class 'int'>), 'metadata': (<class 'str'>, <class 'int'>), 'mpls_bos': (<class 'str'>, <class 'int'>), 'mpls_label': (<class 'str'>, <class 'int'>), 'mpls_tc': (<class 'str'>, <class 'int'>), 'nw_dst': (<class 'str'>, <class 'int'>), 'nw_proto': (<class 'str'>, <class 'int'>), 'nw_src': (<class 'str'>, <class 'int'>), 'nw_ttl': (<class 'str'>, <class 'int'>), 'pbb_isid': (<class 'str'>, <class 'int'>), 'sctp_dst': (<class 'str'>, <class 'int'>), 'sctp_src': (<class 'str'>, <class 'int'>), 'tcp_dst': (<class 'str'>, <class 'int'>), 'tcp_src': (<class 'str'>, <class 'int'>), 'tunnel_id': (<class 'str'>, <class 'int'>), 'udp_dst': (<class 'str'>, <class 'int'>), 'udp_src': (<class 'str'>, <class 'int'>), 'vlan_pcp': (<class 'str'>, <class 'int'>), 'vlan_vid': (<class 'str'>, <class 'int'>)}
tunnel_types = {'bi_directional': <class 'bool'>, 'dp': <class 'str'>, 'exit_instructions': (<class 'list'>, None), 'maintain_encapsulation': <class 'bool'>, 'port': (<class 'str'>, <class 'int'>, None), 'reverse': <class 'bool'>, 'tunnel_id': (<class 'str'>, <class 'int'>, None), 'type': (<class 'str'>, None)}
update_reverse_tunnel_rules(curr_dp, source_id, tunnel_id, out_port, output_table)[source]

Update the tunnel rulelist for when the output port has changed (reverse direction)

update_source_tunnel_rules(curr_dp, source_id, tunnel_id, out_port, output_table)[source]

Update the tunnel rulelist for when the output port has changed

verify_tunnel_rules()[source]

Make sure that matches & set fields are configured correctly to handle tunnels