faucet.acl module

Configuration for ACLs.

class faucet.acl.ACL(_id, dp_id, conf)[source]

Bases: faucet.conf.Conf

Contains the state for an ACL, including the configuration.

ACL Config

ACLs are configured under the ‘acls’ configuration block. The acls block contains a dictionary of individual acls each keyed by its name.

Each acl contains a list of rules, a packet will have the first matching rule applied to it.

Each rule is a dictionary containing the single key ‘rule’ with the value the matches and actions for the rule.

The matches are key/values based on the ryu RESTFul API. The key ‘actions’ contains a dictionary with keys/values as follows:

  • allow (int): if 1 allow the packet to continue through the Faucet pipeline, if 0 drop the packet.

  • force_port_vlan (int): if 1, do not verify the VLAN/port association for this packet and override any VLAN ACL on the forced VLAN.

  • meter (str): meter to apply to the packet

  • output (dict): used to output a packet directly. details below.

  • cookie (int): set flow cookie to this value on this flow

The output action contains a dictionary with the following elements:

  • tunnel (dict): the tunnel formation, creates a tunnel from the applied port(s) to the specified destination

  • port (int or string): the port to output the packet to

  • ports (list): a list of the ports (int or string) to output the packet to

  • set_fields (list): a list of fields to set with values

  • pop_vlans: (int): pop the packet vlan before outputting

  • vlan_vid: (int): push the vlan vid on the packet when outputting

  • vlan_vids: (list): push the list of vlans on the packet when outputting, with option eth_type

  • swap_vid (int): rewrite the vlan vid of the packet when outputting

  • failover (dict): Output with a failover port (experimental)

actions_types = {'allow': <class 'int'>, 'force_port_vlan': <class 'int'>, 'meter': <class 'str'>, 'mirror': (<class 'str'>, <class 'int'>), 'output': <class 'dict'>}
build(meters, vid, port_num)[source]

Check that ACL can be built from config.


Check config at instantiation time for errors, typically via assert.

defaults = {'dot1x_assigned': False, 'exact_match': False, 'rules': None}
defaults_types = {'dot1x_assigned': <class 'bool'>, 'exact_match': <class 'bool'>, 'rules': <class 'list'>}

Configuration parsing marked complete.


Returns a port number of the src_port of the tunnel that the ingress tunnel ACL will need to match to. :param tunnel_id: tunnel identifier to obtain the src_port :type tunnel_id: int


src_port number if it exists, None otherwise

Return type

int OR None


Gets the tunnel ID for the rule :param rule_index: Index of the tunnel rule in the self.rules list :type rule_index: int


Identifier for the tunnel

Return type

tunnel_id (int)


Get the rules from the rule conf that contain tunnel outputs :returns: list of integer indices into the self.rules rule list that contain tunnel information :rtype: rules (list)

output_actions_types = {'failover': <class 'dict'>, 'pop_vlans': <class 'int'>, 'port': (<class 'str'>, <class 'int'>), 'ports': <class 'list'>, 'set_fields': <class 'list'>, 'swap_vid': <class 'int'>, 'tunnel': <class 'dict'>, 'vlan_vid': <class 'int'>, 'vlan_vids': <class 'list'>}

Removes all non-tunnel rules from the ACL and removes all match fields and non-tunnel required actions from the tunnel rules

resolve_ports(resolve_port_cb, resolve_tunnel_objects)[source]
rule_types = {'actions': <class 'dict'>, 'arp_op': (<class 'str'>, <class 'int'>), 'arp_sha': (<class 'str'>, <class 'int'>), 'arp_spa': (<class 'str'>, <class 'int'>), 'arp_tha': (<class 'str'>, <class 'int'>), 'arp_tpa': (<class 'str'>, <class 'int'>), 'cookie': <class 'int'>, 'description': <class 'str'>, 'dl_dst': (<class 'str'>, <class 'int'>), 'dl_src': (<class 'str'>, <class 'int'>), 'dl_type': (<class 'str'>, <class 'int'>), 'dl_vlan': (<class 'str'>, <class 'int'>), 'eth_dst': (<class 'str'>, <class 'int'>), 'eth_src': (<class 'str'>, <class 'int'>), 'eth_type': (<class 'str'>, <class 'int'>), 'icmpv4_code': (<class 'str'>, <class 'int'>), 'icmpv4_type': (<class 'str'>, <class 'int'>), 'icmpv6_code': (<class 'str'>, <class 'int'>), 'icmpv6_type': (<class 'str'>, <class 'int'>), 'in_phy_port': (<class 'str'>, <class 'int'>), 'in_port': (<class 'str'>, <class 'int'>), 'ip_dscp': (<class 'str'>, <class 'int'>), 'ip_ecn': (<class 'str'>, <class 'int'>), 'ip_proto': (<class 'str'>, <class 'int'>), 'ipv4_dst': (<class 'str'>, <class 'int'>), 'ipv4_src': (<class 'str'>, <class 'int'>), 'ipv6_dst': (<class 'str'>, <class 'int'>), 'ipv6_exthdr': (<class 'str'>, <class 'int'>), 'ipv6_flabel': (<class 'str'>, <class 'int'>), 'ipv6_nd_sll': (<class 'str'>, <class 'int'>), 'ipv6_nd_target': (<class 'str'>, <class 'int'>), 'ipv6_nd_tll': (<class 'str'>, <class 'int'>), 'ipv6_src': (<class 'str'>, <class 'int'>), 'metadata': (<class 'str'>, <class 'int'>), 'mpls_bos': (<class 'str'>, <class 'int'>), 'mpls_label': (<class 'str'>, <class 'int'>), 'mpls_tc': (<class 'str'>, <class 'int'>), 'nw_dst': (<class 'str'>, <class 'int'>), 'nw_proto': (<class 'str'>, <class 'int'>), 'nw_src': (<class 'str'>, <class 'int'>), 'pbb_isid': (<class 'str'>, <class 'int'>), 'sctp_dst': (<class 'str'>, <class 'int'>), 'sctp_src': (<class 'str'>, <class 'int'>), 'tcp_dst': (<class 'str'>, <class 'int'>), 'tcp_src': (<class 'str'>, <class 'int'>), 'tunnel_id': (<class 'str'>, <class 'int'>), 'udp_dst': (<class 'str'>, <class 'int'>), 'udp_src': (<class 'str'>, <class 'int'>), 'vlan_pcp': (<class 'str'>, <class 'int'>), 'vlan_vid': (<class 'str'>, <class 'int'>)}
tunnel_types = {'dp': <class 'str'>, 'port': (<class 'str'>, <class 'int'>), 'tunnel_id': (<class 'str'>, <class 'int'>), 'type': <class 'str'>}

Retrieves the information from the tunnel dict for the tunnel with id :param tunnel_id: Identifier for the tunnel :type tunnel_id: int


Tunnel information

Return type

(src_dp, src_port, dst_dp, dst_port)


Update the ACL rule conf if the DP is in the path :param dp: The dp that this tunnel acl object belongs to :type dp: DP


True if any value was updated

Return type



Verify the actions in the tunnel ACL to by making sure the user hasn’t specified an action/match that will create a clash. :param dp: The dp that this tunnel acl object belongs to :type dp: DP

TODO: Choose what combinations of matches & actions to disallow with a tunnel