@@ -680,10 +680,12 @@ var RuleModalView = React.createClass({
-
+
+
+
@@ -698,10 +700,12 @@ var RuleModalView = React.createClass({
-
+
+
+
diff --git a/contivmodel/client/contivModelClient.go b/contivModel/client/contivModelClient.go
similarity index 99%
rename from contivmodel/client/contivModelClient.go
rename to contivModel/client/contivModelClient.go
index 8435fab54..7c40dd891 100644
--- a/contivmodel/client/contivModelClient.go
+++ b/contivModel/client/contivModelClient.go
@@ -703,8 +703,9 @@ type Rule struct {
Action string `json:"action,omitempty"` // Action
Direction string `json:"direction,omitempty"` // Direction
FromEndpointGroup string `json:"fromEndpointGroup,omitempty"` // From Endpoint Group
- FromIpAddress string `json:"fromIpAddress,omitempty"` // IP Address
+ FromIpAddress string `json:"fromIpAddress,omitempty"` // From IP Address
FromNetwork string `json:"fromNetwork,omitempty"` // From Network
+ FromTenantName string `json:"fromTenantName,omitempty"` // From Tenant Name
PolicyName string `json:"policyName,omitempty"` // Policy Name
Port int `json:"port,omitempty"` // Port No
Priority int `json:"priority,omitempty"` // Priority
@@ -712,8 +713,9 @@ type Rule struct {
RuleID string `json:"ruleId,omitempty"` // Rule Id
TenantName string `json:"tenantName,omitempty"` // Tenant Name
ToEndpointGroup string `json:"toEndpointGroup,omitempty"` // To Endpoint Group
- ToIpAddress string `json:"toIpAddress,omitempty"` // IP Address
+ ToIpAddress string `json:"toIpAddress,omitempty"` // To IP Address
ToNetwork string `json:"toNetwork,omitempty"` // To Network
+ ToTenantName string `json:"toTenantName,omitempty"` // To Tenant Name
// add link-sets and links
LinkSets RuleLinkSets `json:"link-sets,omitempty"`
diff --git a/contivmodel/client/contivModelClient.py b/contivModel/client/contivModelClient.py
similarity index 99%
rename from contivmodel/client/contivModelClient.py
rename to contivModel/client/contivModelClient.py
index cffa027cf..88e84715b 100644
--- a/contivmodel/client/contivModelClient.py
+++ b/contivModel/client/contivModelClient.py
@@ -512,6 +512,7 @@ def createRule(self, obj):
"fromEndpointGroup": obj.fromEndpointGroup,
"fromIpAddress": obj.fromIpAddress,
"fromNetwork": obj.fromNetwork,
+ "fromTenantName": obj.fromTenantName,
"policyName": obj.policyName,
"port": obj.port,
"priority": obj.priority,
@@ -521,6 +522,7 @@ def createRule(self, obj):
"toEndpointGroup": obj.toEndpointGroup,
"toIpAddress": obj.toIpAddress,
"toNetwork": obj.toNetwork,
+ "toTenantName": obj.toTenantName,
})
# Post the data
diff --git a/contivmodel/contivModel.go b/contivModel/contivModel.go
similarity index 99%
rename from contivmodel/contivModel.go
rename to contivModel/contivModel.go
index 99e2dbd84..686c20c1e 100644
--- a/contivmodel/contivModel.go
+++ b/contivModel/contivModel.go
@@ -342,8 +342,9 @@ type Rule struct {
Action string `json:"action,omitempty"` // Action
Direction string `json:"direction,omitempty"` // Direction
FromEndpointGroup string `json:"fromEndpointGroup,omitempty"` // From Endpoint Group
- FromIpAddress string `json:"fromIpAddress,omitempty"` // IP Address
+ FromIpAddress string `json:"fromIpAddress,omitempty"` // From IP Address
FromNetwork string `json:"fromNetwork,omitempty"` // From Network
+ FromTenantName string `json:"fromTenantName,omitempty"` // From Tenant Name
PolicyName string `json:"policyName,omitempty"` // Policy Name
Port int `json:"port,omitempty"` // Port No
Priority int `json:"priority,omitempty"` // Priority
@@ -351,8 +352,9 @@ type Rule struct {
RuleID string `json:"ruleId,omitempty"` // Rule Id
TenantName string `json:"tenantName,omitempty"` // Tenant Name
ToEndpointGroup string `json:"toEndpointGroup,omitempty"` // To Endpoint Group
- ToIpAddress string `json:"toIpAddress,omitempty"` // IP Address
+ ToIpAddress string `json:"toIpAddress,omitempty"` // To IP Address
ToNetwork string `json:"toNetwork,omitempty"` // To Network
+ ToTenantName string `json:"toTenantName,omitempty"` // To Tenant Name
// add link-sets and links
LinkSets RuleLinkSets `json:"link-sets,omitempty"`
@@ -4497,6 +4499,15 @@ func ValidateRule(obj *Rule) error {
return errors.New("fromNetwork string invalid format")
}
+ if len(obj.FromTenantName) > 64 {
+ return errors.New("fromTenantName string too long")
+ }
+
+ fromTenantNameMatch := regexp.MustCompile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])?$")
+ if fromTenantNameMatch.MatchString(obj.FromTenantName) == false {
+ return errors.New("fromTenantName string invalid format")
+ }
+
if len(obj.PolicyName) > 64 {
return errors.New("policyName string too long")
}
@@ -4568,6 +4579,15 @@ func ValidateRule(obj *Rule) error {
return errors.New("toNetwork string invalid format")
}
+ if len(obj.ToTenantName) > 64 {
+ return errors.New("toTenantName string too long")
+ }
+
+ toTenantNameMatch := regexp.MustCompile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])?$")
+ if toTenantNameMatch.MatchString(obj.ToTenantName) == false {
+ return errors.New("toTenantName string invalid format")
+ }
+
return nil
}
diff --git a/contivmodel/contivModel.png b/contivModel/contivModel.png
similarity index 100%
rename from contivmodel/contivModel.png
rename to contivModel/contivModel.png
diff --git a/contivmodel/endpoint.json b/contivModel/endpoint.json
similarity index 100%
rename from contivmodel/endpoint.json
rename to contivModel/endpoint.json
diff --git a/contivmodel/endpointGroup.json b/contivModel/endpointGroup.json
similarity index 100%
rename from contivmodel/endpointGroup.json
rename to contivModel/endpointGroup.json
diff --git a/contivmodel/extContractsGroup.json b/contivModel/extContractsGroup.json
similarity index 100%
rename from contivmodel/extContractsGroup.json
rename to contivModel/extContractsGroup.json
diff --git a/contivmodel/generate.sh b/contivModel/generate.sh
similarity index 100%
rename from contivmodel/generate.sh
rename to contivModel/generate.sh
diff --git a/contivmodel/global.json b/contivModel/global.json
similarity index 100%
rename from contivmodel/global.json
rename to contivModel/global.json
diff --git a/contivmodel/netProfile.json b/contivModel/netProfile.json
similarity index 100%
rename from contivmodel/netProfile.json
rename to contivModel/netProfile.json
diff --git a/contivmodel/network.json b/contivModel/network.json
similarity index 100%
rename from contivmodel/network.json
rename to contivModel/network.json
diff --git a/contivmodel/policy.json b/contivModel/policy.json
similarity index 100%
rename from contivmodel/policy.json
rename to contivModel/policy.json
diff --git a/contivmodel/rule.json b/contivModel/rule.json
similarity index 87%
rename from contivmodel/rule.json
rename to contivModel/rule.json
index fe247ebbb..8e03e9201 100644
--- a/contivmodel/rule.json
+++ b/contivModel/rule.json
@@ -79,18 +79,32 @@
},
"fromIpAddress": {
"type": "string",
- "title": "IP Address",
+ "title": "From IP Address",
"description": "Match from IP address. Valid only in incoming direction",
"format": "^(((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3})(\\\\-(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9]))?(/(3[0-1]|2[0-9]|1[0-9]|[1-9]))?)?$",
"showSummary": true
},
"toIpAddress": {
"type": "string",
- "title": "IP Address",
+ "title": "To IP Address",
"description": "Match to IP address. Valid only in outgoing direction",
"format": "^(((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3})(\\\\-(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9]))?(/(3[0-1]|2[0-9]|1[0-9]|[1-9]))?)?$",
"showSummary": true
},
+ "fromTenantName": {
+ "type": "string",
+ "title": "From Tenant Name",
+ "length": 64,
+ "format": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])?$",
+ "showSummary": true
+ },
+ "toTenantName": {
+ "type": "string",
+ "title": "To Tenant Name",
+ "length": 64,
+ "format": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])?$",
+ "showSummary": true
+ },
"protocol": {
"type": "string",
"format": "^(tcp|udp|icmp||[0-9]{1,3}?)$",
diff --git a/contivmodel/scripts/build.sh b/contivModel/scripts/build.sh
similarity index 100%
rename from contivmodel/scripts/build.sh
rename to contivModel/scripts/build.sh
diff --git a/contivmodel/servicelb.json b/contivModel/servicelb.json
similarity index 100%
rename from contivmodel/servicelb.json
rename to contivModel/servicelb.json
diff --git a/contivmodel/spec/Dockerfile b/contivModel/spec/Dockerfile
similarity index 100%
rename from contivmodel/spec/Dockerfile
rename to contivModel/spec/Dockerfile
diff --git a/contivmodel/spec/Dockerfile.cleanup b/contivModel/spec/Dockerfile.cleanup
similarity index 100%
rename from contivmodel/spec/Dockerfile.cleanup
rename to contivModel/spec/Dockerfile.cleanup
diff --git a/contivmodel/spec/Makefile b/contivModel/spec/Makefile
similarity index 100%
rename from contivmodel/spec/Makefile
rename to contivModel/spec/Makefile
diff --git a/contivmodel/spec/auth_proxy.raml b/contivModel/spec/auth_proxy.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy.raml
rename to contivModel/spec/auth_proxy.raml
diff --git a/contivmodel/spec/auth_proxy/libraries/auth_proxy.raml b/contivModel/spec/auth_proxy/libraries/auth_proxy.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/libraries/auth_proxy.raml
rename to contivModel/spec/auth_proxy/libraries/auth_proxy.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/collection-item.raml b/contivModel/spec/auth_proxy/schemas/collection-item.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/collection-item.raml
rename to contivModel/spec/auth_proxy/schemas/collection-item.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/collection.raml b/contivModel/spec/auth_proxy/schemas/collection.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/collection.raml
rename to contivModel/spec/auth_proxy/schemas/collection.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/custom-scheme.raml b/contivModel/spec/auth_proxy/schemas/custom-scheme.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/custom-scheme.raml
rename to contivModel/spec/auth_proxy/schemas/custom-scheme.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/non-upd-collection-item.raml b/contivModel/spec/auth_proxy/schemas/non-upd-collection-item.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/non-upd-collection-item.raml
rename to contivModel/spec/auth_proxy/schemas/non-upd-collection-item.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/ro-collection-item.raml b/contivModel/spec/auth_proxy/schemas/ro-collection-item.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/ro-collection-item.raml
rename to contivModel/spec/auth_proxy/schemas/ro-collection-item.raml
diff --git a/contivmodel/spec/build.sh b/contivModel/spec/build.sh
similarity index 100%
rename from contivmodel/spec/build.sh
rename to contivModel/spec/build.sh
diff --git a/contivmodel/spec/cleanup.rb b/contivModel/spec/cleanup.rb
similarity index 100%
rename from contivmodel/spec/cleanup.rb
rename to contivModel/spec/cleanup.rb
diff --git a/contivmodel/spec/docs/body.html b/contivModel/spec/docs/body.html
similarity index 100%
rename from contivmodel/spec/docs/body.html
rename to contivModel/spec/docs/body.html
diff --git a/contivmodel/spec/docs/contiv.html b/contivModel/spec/docs/contiv.html
similarity index 100%
rename from contivmodel/spec/docs/contiv.html
rename to contivModel/spec/docs/contiv.html
diff --git a/contivmodel/spec/docs/head.html b/contivModel/spec/docs/head.html
similarity index 100%
rename from contivmodel/spec/docs/head.html
rename to contivModel/spec/docs/head.html
diff --git a/contivmodel/spec/generate_raml.rb b/contivModel/spec/generate_raml.rb
similarity index 100%
rename from contivmodel/spec/generate_raml.rb
rename to contivModel/spec/generate_raml.rb
diff --git a/contivmodel/spec/netmaster.raml b/contivModel/spec/netmaster.raml
similarity index 100%
rename from contivmodel/spec/netmaster.raml
rename to contivModel/spec/netmaster.raml
diff --git a/contivmodel/spec/netmaster/libraries/netmaster.raml b/contivModel/spec/netmaster/libraries/netmaster.raml
similarity index 100%
rename from contivmodel/spec/netmaster/libraries/netmaster.raml
rename to contivModel/spec/netmaster/libraries/netmaster.raml
diff --git a/contivmodel/spec/netmaster/schemas/collection-item.raml b/contivModel/spec/netmaster/schemas/collection-item.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/collection-item.raml
rename to contivModel/spec/netmaster/schemas/collection-item.raml
diff --git a/contivmodel/spec/netmaster/schemas/collection.raml b/contivModel/spec/netmaster/schemas/collection.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/collection.raml
rename to contivModel/spec/netmaster/schemas/collection.raml
diff --git a/contivmodel/spec/netmaster/schemas/custom-scheme.raml b/contivModel/spec/netmaster/schemas/custom-scheme.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/custom-scheme.raml
rename to contivModel/spec/netmaster/schemas/custom-scheme.raml
diff --git a/contivmodel/spec/netmaster/schemas/non-upd-collection-item.raml b/contivModel/spec/netmaster/schemas/non-upd-collection-item.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/non-upd-collection-item.raml
rename to contivModel/spec/netmaster/schemas/non-upd-collection-item.raml
diff --git a/contivmodel/spec/netmaster/schemas/ro-collection-item.raml b/contivModel/spec/netmaster/schemas/ro-collection-item.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/ro-collection-item.raml
rename to contivModel/spec/netmaster/schemas/ro-collection-item.raml
diff --git a/contivmodel/systemtests/client_test.go b/contivModel/systemtests/client_test.go
similarity index 100%
rename from contivmodel/systemtests/client_test.go
rename to contivModel/systemtests/client_test.go
diff --git a/contivmodel/systemtests/mock_server.go b/contivModel/systemtests/mock_server.go
similarity index 100%
rename from contivmodel/systemtests/mock_server.go
rename to contivModel/systemtests/mock_server.go
diff --git a/contivmodel/tenant.json b/contivModel/tenant.json
similarity index 100%
rename from contivmodel/tenant.json
rename to contivModel/tenant.json
diff --git a/contivmodel/volume.json b/contivModel/volume.json
similarity index 100%
rename from contivmodel/volume.json
rename to contivModel/volume.json
diff --git a/contivmodel/volumeProfile.json b/contivModel/volumeProfile.json
similarity index 100%
rename from contivmodel/volumeProfile.json
rename to contivModel/volumeProfile.json
diff --git a/core/core.go b/core/core.go
index 1b23f8e7c..81c0a1249 100755
--- a/core/core.go
+++ b/core/core.go
@@ -75,18 +75,19 @@ type Plugin interface {
// InstanceInfo encapsulates data that is specific to a running instance of
// netplugin like label of host on which it is started.
type InstanceInfo struct {
- StateDriver StateDriver `json:"-"`
- HostLabel string `json:"host-label"`
- CtrlIP string `json:"ctrl-ip"`
- VtepIP string `json:"vtep-ip"`
- UplinkIntf []string `json:"uplink-if"`
- RouterIP string `json:"router-ip"`
- FwdMode string `json:"fwd-mode"`
- ArpMode string `json:"arp-mode"`
- DbURL string `json:"db-url"`
- PluginMode string `json:"plugin-mode"`
- HostPvtNW int `json:"host-pvt-nw"`
- VxlanUDPPort int `json:"vxlan-port"`
+ StateDriver StateDriver `json:"-"`
+ HostLabel string `json:"host-label"`
+ CtrlIP string `json:"ctrl-ip"`
+ VtepIP string `json:"vtep-ip"`
+ UplinkIntf []string `json:"uplink-if"`
+ RouterIP string `json:"router-ip"`
+ FwdMode string `json:"fwd-mode"`
+ ArpMode string `json:"arp-mode"`
+ DbURL string `json:"db-url"`
+ PluginMode string `json:"plugin-mode"`
+ HostPvtNW int `json:"host-pvt-nw"`
+ VxlanUDPPort int `json:"vxlan-port"`
+ EndpointIpsAreUnique bool `json:"endpoint-ips-are-unique"`
}
// PortSpec defines protocol/port info required to host the service
diff --git a/drivers/ovsd/ovsSwitch.go b/drivers/ovsd/ovsSwitch.go
index 42d9217ce..9e52f7649 100755
--- a/drivers/ovsd/ovsSwitch.go
+++ b/drivers/ovsd/ovsSwitch.go
@@ -90,7 +90,7 @@ func (sw *OvsSwitch) GetUplinkInterfaces(uplinkID string) []string {
// NewOvsSwitch Creates a new OVS switch instance
func NewOvsSwitch(bridgeName, netType, localIP, fwdMode string,
- vlanIntf []string, hostPvtNW int, vxlanUDPPort int) (*OvsSwitch, error) {
+ vlanIntf []string, hostPvtNW int, vxlanUDPPort int, endpointIpsAreUnique bool) (*OvsSwitch, error) {
var err error
var datapath string
var ofnetPort, ctrlrPort uint16
@@ -123,7 +123,7 @@ func NewOvsSwitch(bridgeName, netType, localIP, fwdMode string,
}
// Create an ofnet agent
sw.ofnetAgent, err = ofnet.NewOfnetAgent(bridgeName, datapath, net.ParseIP(localIP),
- ofnetPort, ctrlrPort, vlanIntf)
+ ofnetPort, ctrlrPort, vlanIntf, endpointIpsAreUnique)
if err != nil {
log.Fatalf("Error initializing ofnet")
@@ -144,7 +144,7 @@ func NewOvsSwitch(bridgeName, netType, localIP, fwdMode string,
}
// Create an ofnet agent
sw.ofnetAgent, err = ofnet.NewOfnetAgent(bridgeName, datapath, net.ParseIP(localIP),
- ofnetPort, ctrlrPort, vlanIntf)
+ ofnetPort, ctrlrPort, vlanIntf, endpointIpsAreUnique)
if err != nil {
log.Fatalf("Error initializing ofnet")
diff --git a/drivers/ovsd/ovsdriver.go b/drivers/ovsd/ovsdriver.go
index a4cb56149..ce892bd42 100644
--- a/drivers/ovsd/ovsdriver.go
+++ b/drivers/ovsd/ovsdriver.go
@@ -171,13 +171,15 @@ func (d *OvsDriver) Init(info *core.InstanceInfo) error {
// Create Vxlan switch
d.switchDb["vxlan"], err = NewOvsSwitch(vxlanBridgeName, "vxlan", info.VtepIP,
- info.FwdMode, nil, info.HostPvtNW, info.VxlanUDPPort)
+ info.FwdMode, nil, info.HostPvtNW, info.VxlanUDPPort,
+ info.EndpointIpsAreUnique)
if err != nil {
log.Fatalf("Error creating vlan switch. Err: %v", err)
}
// Create Vlan switch
d.switchDb["vlan"], err = NewOvsSwitch(vlanBridgeName, "vlan", info.VtepIP,
- info.FwdMode, info.UplinkIntf, info.HostPvtNW, info.VxlanUDPPort)
+ info.FwdMode, info.UplinkIntf, info.HostPvtNW, info.VxlanUDPPort,
+ info.EndpointIpsAreUnique)
if err != nil {
log.Fatalf("Error creating vlan switch. Err: %v", err)
}
diff --git a/install/k8s/cluster/bootstrap_centos.sh b/install/k8s/cluster/bootstrap_centos.sh
index 3c60919b8..43477f7c2 100755
--- a/install/k8s/cluster/bootstrap_centos.sh
+++ b/install/k8s/cluster/bootstrap_centos.sh
@@ -8,6 +8,7 @@ fi
set -ex
swapoff -a
+sudo sed -i '/swap/d' /etc/fstab
setenforce 0
systemctl stop firewalld
systemctl disable firewalld
diff --git a/mgmtfn/dockplugin/netDriver.go b/mgmtfn/dockplugin/netDriver.go
index 48ca351ad..653e24a59 100644
--- a/mgmtfn/dockplugin/netDriver.go
+++ b/mgmtfn/dockplugin/netDriver.go
@@ -24,7 +24,7 @@ import (
"strings"
log "github.com/Sirupsen/logrus"
- "github.com/contiv/netplugin/contivmodel/client"
+ "github.com/contiv/netplugin/contivModel/client"
"github.com/contiv/netplugin/core"
"github.com/contiv/netplugin/netmaster/docknet"
"github.com/contiv/netplugin/netmaster/intent"
diff --git a/netctl/commands.go b/netctl/commands.go
index 7ad290910..005651b33 100755
--- a/netctl/commands.go
+++ b/netctl/commands.go
@@ -346,10 +346,18 @@ var Commands = []cli.Command{
Name: "from-group, g",
Usage: "From Endpoint Group Name (Valid in incoming direction only)",
},
+ cli.StringFlag{
+ Name: "from-tenant",
+ Usage: "From Tenant Name (Valid in incoming direction only)",
+ },
cli.StringFlag{
Name: "to-group, e",
Usage: "To Endpoint Group Name (Valid in outgoing direction only)",
},
+ cli.StringFlag{
+ Name: "to-tenant",
+ Usage: "To Tenant Name (Valid in outgoing direction only)",
+ },
cli.StringFlag{
Name: "from-network, n",
Usage: "From Network name (Valid in incoming direction only)",
diff --git a/netctl/config.go b/netctl/config.go
index 68153a659..3ca4adc66 100644
--- a/netctl/config.go
+++ b/netctl/config.go
@@ -10,7 +10,7 @@ import (
"path/filepath"
"github.com/codegangsta/cli"
- contivClient "github.com/contiv/netplugin/contivmodel/client"
+ contivClient "github.com/contiv/netplugin/contivModel/client"
)
var errHomeDirectoryNotSet = errors.New("failed to detect HOME directory")
diff --git a/netctl/netctl.go b/netctl/netctl.go
index 92523417c..88a4287af 100755
--- a/netctl/netctl.go
+++ b/netctl/netctl.go
@@ -17,7 +17,7 @@ import (
"golang.org/x/crypto/ssh/terminal"
"github.com/codegangsta/cli"
- contivClient "github.com/contiv/netplugin/contivmodel/client"
+ contivClient "github.com/contiv/netplugin/contivModel/client"
"github.com/contiv/netplugin/version"
)
@@ -219,6 +219,8 @@ func addRule(ctx *cli.Context) {
errExit(ctx, exitHelp, "Policy name and Rule ID required", true)
}
+ toTenant := ctx.String("to-tenant")
+ fromTenant := ctx.String("from-tenant")
dir := ctx.String("direction")
if dir == "in" {
if ctx.String("to-group") != "" {
@@ -227,10 +229,18 @@ func addRule(ctx *cli.Context) {
if ctx.String("to-network") != "" {
errExit(ctx, exitHelp, "Cant specify to-network for incoming rule", false)
}
+ if toTenant != "" {
+ errExit(ctx, exitHelp, "Cant specify to-tenant for incoming rule", false)
+ }
- // If from EPG is specified, make sure from network is specified too
- if ctx.String("from-group") != "" && ctx.String("from-network") != "" {
- errExit(ctx, exitHelp, "Can't specify both from-group argument and -from-network ", false)
+ // If from EPG is specified, make sure from network is not specified too
+ if ctx.String("from-group") != "" {
+ if ctx.String("from-network") != "" {
+ errExit(ctx, exitHelp, "Can't specify both from-group argument and -from-network ", false)
+ }
+ if fromTenant == "" {
+ fromTenant = ctx.String("tenant")
+ }
}
} else if dir == "out" {
if ctx.String("from-group") != "" {
@@ -242,10 +252,18 @@ func addRule(ctx *cli.Context) {
if ctx.String("from-ip-address") != "" {
errExit(ctx, exitHelp, "Cant specify from-ip-address for outgoing rule", false)
}
+ if fromTenant != "" {
+ errExit(ctx, exitHelp, "Cant specify from-tenant for incoming rule", false)
+ }
- // If to EPG is specified, make sure to network is specified too
- if ctx.String("to-group") != "" && ctx.String("to-network") != "" {
- errExit(ctx, exitHelp, "Can't specify both -to-group and -to-network", false)
+ // If to EPG is specified, make sure to network is not specified too
+ if ctx.String("to-group") != "" {
+ if ctx.String("to-network") != "" {
+ errExit(ctx, exitHelp, "Can't specify both -to-group and -to-network", false)
+ }
+ if toTenant == "" {
+ toTenant = ctx.String("tenant")
+ }
}
} else {
errExit(ctx, exitHelp, "Unknown direction", false)
@@ -258,7 +276,9 @@ func addRule(ctx *cli.Context) {
Priority: ctx.Int("priority"),
Direction: ctx.String("direction"),
FromEndpointGroup: ctx.String("from-group"),
+ FromTenantName: fromTenant,
ToEndpointGroup: ctx.String("to-group"),
+ ToTenantName: toTenant,
FromNetwork: ctx.String("from-network"),
ToNetwork: ctx.String("to-network"),
FromIpAddress: ctx.String("from-ip-address"),
diff --git a/netmaster/k8snetwork/networkpolicy.go b/netmaster/k8snetwork/networkpolicy.go
index 68f1aa220..b82d1421e 100644
--- a/netmaster/k8snetwork/networkpolicy.go
+++ b/netmaster/k8snetwork/networkpolicy.go
@@ -8,7 +8,7 @@ import (
"time"
log "github.com/Sirupsen/logrus"
- "github.com/contiv/netplugin/contivmodel/client"
+ "github.com/contiv/netplugin/contivModel/client"
"github.com/contiv/netplugin/utils/k8sutils"
"k8s.io/api/networking/v1"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
diff --git a/netmaster/master/policy.go b/netmaster/master/policy.go
index 8d90e89ab..5eea96470 100755
--- a/netmaster/master/policy.go
+++ b/netmaster/master/policy.go
@@ -16,7 +16,7 @@ limitations under the License.
package master
import (
- "github.com/contiv/netplugin/contivmodel"
+ "github.com/contiv/netplugin/contivModel"
"github.com/contiv/netplugin/core"
"github.com/contiv/netplugin/netmaster/mastercfg"
"github.com/contiv/netplugin/utils"
diff --git a/netmaster/mastercfg/policyState.go b/netmaster/mastercfg/policyState.go
index d16fa5cf9..08fe03c77 100644
--- a/netmaster/mastercfg/policyState.go
+++ b/netmaster/mastercfg/policyState.go
@@ -23,7 +23,7 @@ import (
log "github.com/Sirupsen/logrus"
- "github.com/contiv/netplugin/contivmodel"
+ "github.com/contiv/netplugin/contivModel"
"github.com/contiv/netplugin/core"
"github.com/contiv/ofnet"
)
@@ -176,18 +176,24 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
ofnetRule.Priority = rule.Priority
ofnetRule.Action = rule.Action
+ // from/to tenant name was added for k8s network policy to be part of
+ // the group designation, otherwise the regular tenant (the tenant for
+ // the policy-rule) can be used
+
// See if user specified an endpoint Group in the rule
if rule.FromEndpointGroup != "" {
- remoteEpgID, err = GetEndpointGroupID(stateStore, rule.FromEndpointGroup, rule.TenantName)
+ remoteEpgID, err = GetEndpointGroupID(stateStore, rule.FromEndpointGroup, rule.FromTenantName)
if err != nil {
log.Errorf("Error finding endpoint group %s/%s/%s. Err: %v",
- rule.FromEndpointGroup, rule.FromNetwork, rule.TenantName, err)
+ rule.FromEndpointGroup, rule.FromNetwork, rule.FromTenantName, err)
+ return nil, errors.New("the FromEndpointGroup key wasn't found")
}
} else if rule.ToEndpointGroup != "" {
- remoteEpgID, err = GetEndpointGroupID(stateStore, rule.ToEndpointGroup, rule.TenantName)
+ remoteEpgID, err = GetEndpointGroupID(stateStore, rule.ToEndpointGroup, rule.ToTenantName)
if err != nil {
log.Errorf("Error finding endpoint group %s/%s/%s. Err: %v",
- rule.ToEndpointGroup, rule.ToNetwork, rule.TenantName, err)
+ rule.ToEndpointGroup, rule.ToNetwork, rule.ToTenantName, err)
+ return nil, errors.New("the ToEndpointGroup key wasn't found")
}
} else if rule.FromNetwork != "" {
netKey := rule.TenantName + ":" + rule.FromNetwork
@@ -211,6 +217,14 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
rule.ToIpAddress = net.Subnet
}
+ var remoteTenant string
+ if rule.FromTenantName != "" {
+ remoteTenant = rule.FromTenantName
+ }
+ if rule.ToTenantName != "" {
+ remoteTenant = rule.ToTenantName
+ }
+
// Set protocol
switch rule.Protocol {
case "tcp":
@@ -235,7 +249,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
case "inRx":
// Set src/dest endpoint group
ofnetRule.DstEndpointGroup = gp.EndpointGroupID
+ ofnetRule.DstVrf = rule.TenantName
ofnetRule.SrcEndpointGroup = remoteEpgID
+ ofnetRule.SrcVrf = remoteTenant
// Set src/dest IP Address
ofnetRule.SrcIpAddr = rule.FromIpAddress
@@ -253,7 +269,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
case "inTx":
// Set src/dest endpoint group
ofnetRule.SrcEndpointGroup = gp.EndpointGroupID
+ ofnetRule.SrcVrf = rule.TenantName
ofnetRule.DstEndpointGroup = remoteEpgID
+ ofnetRule.DstVrf = remoteTenant
// Set src/dest IP Address
ofnetRule.DstIpAddr = rule.FromIpAddress
@@ -266,7 +284,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
case "outRx":
// Set src/dest endpoint group
ofnetRule.DstEndpointGroup = gp.EndpointGroupID
+ ofnetRule.DstVrf = rule.TenantName
ofnetRule.SrcEndpointGroup = remoteEpgID
+ ofnetRule.SrcVrf = remoteTenant
// Set src/dest IP Address
ofnetRule.SrcIpAddr = rule.ToIpAddress
@@ -276,7 +296,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
case "outTx":
// Set src/dest endpoint group
ofnetRule.SrcEndpointGroup = gp.EndpointGroupID
+ ofnetRule.SrcVrf = rule.TenantName
ofnetRule.DstEndpointGroup = remoteEpgID
+ ofnetRule.DstVrf = remoteTenant
// Set src/dest IP Address
ofnetRule.DstIpAddr = rule.ToIpAddress
diff --git a/netmaster/objApi/apiController.go b/netmaster/objApi/apiController.go
index 917b1a273..d11817110 100644
--- a/netmaster/objApi/apiController.go
+++ b/netmaster/objApi/apiController.go
@@ -25,7 +25,7 @@ import (
"io/ioutil"
"net/http"
- contivModel "github.com/contiv/netplugin/contivmodel"
+ contivModel "github.com/contiv/netplugin/contivModel"
"github.com/contiv/netplugin/core"
"github.com/contiv/netplugin/drivers"
"github.com/contiv/netplugin/netmaster/docknet"
diff --git a/netmaster/objApi/extContracts.go b/netmaster/objApi/extContracts.go
index cfb837cb1..4c56b7ae7 100644
--- a/netmaster/objApi/extContracts.go
+++ b/netmaster/objApi/extContracts.go
@@ -17,8 +17,9 @@ package objApi
import (
"fmt"
+
log "github.com/Sirupsen/logrus"
- "github.com/contiv/netplugin/contivmodel"
+ "github.com/contiv/netplugin/contivModel"
"github.com/contiv/netplugin/core"
"github.com/contiv/netplugin/objdb/modeldb"
)
diff --git a/netmaster/objApi/infraproxy.go b/netmaster/objApi/infraproxy.go
index 87d6a63c6..62344293e 100755
--- a/netmaster/objApi/infraproxy.go
+++ b/netmaster/objApi/infraproxy.go
@@ -11,7 +11,7 @@ import (
"time"
log "github.com/Sirupsen/logrus"
- "github.com/contiv/netplugin/contivmodel"
+ "github.com/contiv/netplugin/contivModel"
"github.com/contiv/netplugin/core"
"github.com/contiv/netplugin/netmaster/master"
"github.com/contiv/netplugin/netmaster/mastercfg"
diff --git a/netplugin/netd.go b/netplugin/netd.go
index 37a62ce3e..5bc1ff5dd 100755
--- a/netplugin/netd.go
+++ b/netplugin/netd.go
@@ -110,14 +110,15 @@ func initNetPluginConfig(ctx *cli.Context) (*plugin.Config, error) {
State: dbConfigs.StoreDriver,
},
Instance: core.InstanceInfo{
- HostLabel: hostLabel,
- CtrlIP: controlIP,
- VtepIP: vtepIP,
- UplinkIntf: vlanUpLinks,
- DbURL: dbConfigs.StoreURL,
- PluginMode: netConfigs.Mode,
- VxlanUDPPort: vxlanPort,
- FwdMode: netConfigs.ForwardMode, // TODO: pass in network mode
+ HostLabel: hostLabel,
+ CtrlIP: controlIP,
+ VtepIP: vtepIP,
+ UplinkIntf: vlanUpLinks,
+ DbURL: dbConfigs.StoreURL,
+ PluginMode: netConfigs.Mode,
+ VxlanUDPPort: vxlanPort,
+ FwdMode: netConfigs.ForwardMode, // TODO: pass in network mode
+ EndpointIpsAreUnique: true,
},
}, nil
}
diff --git a/vendor/github.com/contiv/ofnet/ofnet.go b/vendor/github.com/contiv/ofnet/ofnet.go
index 8a2a7270a..aa468a361 100755
--- a/vendor/github.com/contiv/ofnet/ofnet.go
+++ b/vendor/github.com/contiv/ofnet/ofnet.go
@@ -189,9 +189,11 @@ type OfnetEndpoint struct {
type OfnetPolicyRule struct {
RuleId string // Unique identifier for the rule
Priority int // Priority for the rule (1..100. 100 is highest)
+ SrcVrf string // For policy rules, reqiured to uniquely identify the SrcEndpointGroup
SrcEndpointGroup int // Source endpoint group
+ DstVrf string // For policy rules, required to uniquely identify the DstEndpointGroup
DstEndpointGroup int // Destination endpoint group
- SrcIpAddr string // source IP addrss and mask
+ SrcIpAddr string // source IP address and mask
DstIpAddr string // Destination IP address and mask
IpProtocol uint8 // IP protocol number
SrcPort uint16 // Source port
diff --git a/vendor/github.com/contiv/ofnet/ofnetAgent.go b/vendor/github.com/contiv/ofnet/ofnetAgent.go
index d9bcef64a..6c3b8f785 100755
--- a/vendor/github.com/contiv/ofnet/ofnetAgent.go
+++ b/vendor/github.com/contiv/ofnet/ofnetAgent.go
@@ -40,6 +40,10 @@ import (
cmap "github.com/streamrail/concurrent-map"
)
+// these can be passed to NewOfnetAgent for endpointIPsAreUnique parameter
+const OFNET_AGENT_ENDPOINT_IPS_ARE_NOT_UNIQUE_PARAM = false
+const OFNET_AGENT_ENDPOINT_IPS_ARE_UNIQUE_PARAM = true
+
// OfnetAgent state
type OfnetAgent struct {
ctrler *ofctrl.Controller // Controller instance
@@ -55,6 +59,11 @@ type OfnetAgent struct {
datapath OfnetDatapath // Configured datapath
protopath OfnetProto // Configured protopath
+ // True if all requests to create endpoints no matter the VRF will have
+ // unique IPs, which would allow for inferring the VRF based on IP address
+ // True also allows endpoints in different VRFs to communicate directly
+ endpointIpsAreUnique bool
+
masterDb map[string]*OfnetNode // list of Masters
masterDbMutex sync.Mutex // Sync mutex for masterDb
@@ -147,8 +156,8 @@ const (
// Create a new Ofnet agent and initialize it
func NewOfnetAgent(bridgeName string, dpName string, localIp net.IP, rpcPort uint16,
- ovsPort uint16, uplinkInfo []string) (*OfnetAgent, error) {
- log.Infof("Creating new ofnet agent for %s,%s,%d,%d,%d\n", bridgeName, dpName, localIp, rpcPort, ovsPort)
+ ovsPort uint16, uplinkInfo []string, endpointIpsAreUnique bool) (*OfnetAgent, error) {
+ log.Infof("Creating new ofnet agent for %s,%s,%d,%d,%d,%v\n", bridgeName, dpName, localIp, rpcPort, ovsPort, endpointIpsAreUnique)
agent := new(OfnetAgent)
// Init params
@@ -168,6 +177,8 @@ func NewOfnetAgent(bridgeName string, dpName string, localIp net.IP, rpcPort uin
agent.vniVlanMap = make(map[uint32]*uint16)
agent.vlanVniMap = make(map[uint16]*uint32)
+ agent.endpointIpsAreUnique = endpointIpsAreUnique
+
// Initialize vtep database
agent.vtepTable = make(map[string]*uint32)
@@ -253,6 +264,10 @@ func (self *OfnetAgent) incrErrStats(errName string) {
self.stats[errName+"-ERROR"] = currStats
}
+func (a *OfnetAgent) IsEndpointIpsAreUnique() bool {
+ return a.endpointIpsAreUnique
+}
+
// getEndpointId Get a unique identifier for the endpoint.
func (self *OfnetAgent) getEndpointId(endpoint EndpointInfo) string {
self.vlanVrfMutex.RLock()
diff --git a/vendor/github.com/contiv/ofnet/ofnetMaster.go b/vendor/github.com/contiv/ofnet/ofnetMaster.go
index dee441486..050391ccb 100755
--- a/vendor/github.com/contiv/ofnet/ofnetMaster.go
+++ b/vendor/github.com/contiv/ofnet/ofnetMaster.go
@@ -229,7 +229,7 @@ func (self *OfnetMaster) UnRegisterNode(hostInfo *OfnetNode, ret *bool) error {
// Add an Endpoint
func (self *OfnetMaster) EndpointAdd(ep *OfnetEndpoint, ret *bool) error {
- log.Infof("Received Endpoint CReate from Remote netplugin")
+ log.Infof("Received Endpoint Create from Remote netplugin")
// Check if we have the endpoint already and which is more recent
self.masterMutex.RLock()
oldEp := self.endpointDb[ep.EndpointID]
diff --git a/vendor/github.com/contiv/ofnet/ofnetPolicy.go b/vendor/github.com/contiv/ofnet/ofnetPolicy.go
index dc5a83c0b..b38b678a9 100755
--- a/vendor/github.com/contiv/ofnet/ofnetPolicy.go
+++ b/vendor/github.com/contiv/ofnet/ofnetPolicy.go
@@ -17,6 +17,7 @@ package ofnet
import (
"errors"
+ "fmt"
"net"
"net/rpc"
"reflect"
@@ -79,31 +80,56 @@ func (self *PolicyAgent) SwitchDisconnected(sw *ofctrl.OFSwitch) {
}
// Metadata Format
-// 6 3 3 1 1 0 0
-// 3 1 0 6 5 1 0
-// +-------------+-+---------------+---------------+-+
-// | ....U |U| SrcGrp | DstGrp |V|
-// +-------------+-+---------------+---------------+-+
+// Source Tenant + Group
+// 0x1fff ffff 8000 0000 Destination Tenant + Group
+// | 0x7FFF FFFE
+// +--------+----------+ |
+// | v +--------+---------+
+// v Source Group v v
+// Source Tenant 0x7FFF 8000 0000 Destination Tenant Destination Group
+// 0x1FFF 8000 0000 0000 | 0x7FFE 0000 0x0001 FFFE
+// | | | |
+// +-------+--------++---------+---------++--------+-----++-----------+------+
+// | || || || |
+// v vv vv vv v
+// 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 000V
//
-// U: Unused
-// SrcGrp: Source endpoint group
-// DstGrp: Destination endpoint group
// V: Received on VTEP Port. Dont flood back to VTEP ports.
-//
-// DstGroupMetadata returns metadata for dst group
-func DstGroupMetadata(groupId int) (uint64, uint64) {
- metadata := uint64(groupId) << 1
- metadataMask := uint64(0xfffe)
+// returns openflow metadata and mask values for dst group
+func DstGroupMetadata(vrfid uint16, groupId int) (uint64, uint64) {
+ // vrf: shift 16 for src group, 1 for VTEP flag
+ // group: shift 1 for the VTEP flag
+ metadata := (uint64(vrfid) << 17) + (uint64(groupId) << 1)
+ // vrf:
+ // 14 bits shifted 1 for vtep flag and 16 for group
+ // format((((1<<14))-1)<<(1+16), 'x')
+ // 0x7ffe0000
+ // group:
+ // format((((1<<16)-1)<<1), 'x')
+ // 0x1fffe
+ metadataMask := uint64(0x7ffffffe)
metadata = metadata & metadataMask
return metadata, metadataMask
}
-// SrcGroupMetadata returns metadata for src group
-func SrcGroupMetadata(groupId int) (uint64, uint64) {
- metadata := uint64(groupId) << 16
- metadataMask := uint64(0x7fff0000)
+// returns openflow metadata and mask for src group
+func SrcGroupMetadata(vrfid uint16, groupId int) (uint64, uint64) {
+ // vrf:
+ // shift 30 for dest vrf+group, 16 for src group, 1 for VTEP flag = 47
+ // group:
+ // shift 30 for the dest vrf+group, 1 for the VTEP flag
+ metadata := (uint64(vrfid) << 47) + (uint64(groupId) << (30 + 1))
+ // vrf:
+ // 14 bits shifted by 1: vtep flag + 30: dest vrf+group + 16: src group
+ // format((((1<<14))-1)<<(1+30+16), 'x')
+ // 0x1FFF800000000000
+ // group:
+ // 16 bits shifted 30 for dest vrf+group plus 1 for vtep flag
+ // format((((1<<16))-1)<<(30+1), 'x')
+ // 0x7fff80000000
+ metadataMask := uint64(0x1FFFFFFF80000000)
metadata = metadata & metadataMask
return metadata, metadataMask
@@ -139,8 +165,9 @@ func (self *PolicyAgent) AddEndpoint(endpoint *OfnetEndpoint) error {
self.agent.vrfMutex.RLock()
vrfid := self.agent.vrfNameIdMap[*vrf]
self.agent.vrfMutex.RUnlock()
- vrfMetadata, vrfMetadataMask := Vrfmetadata(*vrfid)
- // Install the Dst group lookup flow
+
+ vrfMetadata, vrfMetadataMask := VrfDestMetadata(*vrfid)
+ // match destination tenant and IP
dstGrpFlow, err := self.dstGrpTable.NewFlow(ofctrl.FlowMatch{
Priority: FLOW_MATCH_PRIORITY,
Ethertype: 0x0800,
@@ -153,8 +180,8 @@ func (self *PolicyAgent) AddEndpoint(endpoint *OfnetEndpoint) error {
return err
}
- // Format the metadata
- metadata, metadataMask := DstGroupMetadata(endpoint.EndpointGroup)
+ // Format the metadata for the destination group
+ metadata, metadataMask := DstGroupMetadata(*vrfid, endpoint.EndpointGroup)
// Set dst GroupId
err = dstGrpFlow.SetMetadata(metadata, metadataMask)
@@ -230,7 +257,7 @@ func (self *PolicyAgent) AddIpv6Endpoint(endpoint *OfnetEndpoint) error {
vrfid := self.agent.vrfNameIdMap[*vrf]
self.agent.vrfMutex.RUnlock()
- vrfMetadata, vrfMetadataMask := Vrfmetadata(*vrfid)
+ vrfMetadata, vrfMetadataMask := VrfDestMetadata(*vrfid)
// Install the Dst group lookup flow
dstGrpFlow, err := self.dstGrpTable.NewFlow(ofctrl.FlowMatch{
Priority: FLOW_MATCH_PRIORITY,
@@ -245,7 +272,7 @@ func (self *PolicyAgent) AddIpv6Endpoint(endpoint *OfnetEndpoint) error {
}
// Format the metadata
- metadata, metadataMask := DstGroupMetadata(endpoint.EndpointGroup)
+ metadata, metadataMask := DstGroupMetadata(*vrfid, endpoint.EndpointGroup)
// Set dst GroupId
err = dstGrpFlow.SetMetadata(metadata, metadataMask)
@@ -299,8 +326,10 @@ func (self *PolicyAgent) AddRule(rule *OfnetPolicyRule, ret *bool) error {
var ipDaMask *net.IP = nil
var ipSa *net.IP = nil
var ipSaMask *net.IP = nil
- var md *uint64 = nil
- var mdm *uint64 = nil
+ var metadata uint64 = 0 // for calculations of md
+ var metadataMask uint64 = 0 // for calculations of mdm
+ var md *uint64 = nil // flow metadata
+ var mdm *uint64 = nil // flow metadata mask
var flag, flagMask uint16
var flagPtr, flagMaskPtr *uint16
var err error
@@ -346,24 +375,52 @@ func (self *PolicyAgent) AddRule(rule *OfnetPolicyRule, ret *bool) error {
}
}
- // parse source/dst endpoint groups
- if rule.SrcEndpointGroup != 0 && rule.DstEndpointGroup != 0 {
- srcMetadata, srcMetadataMask := SrcGroupMetadata(rule.SrcEndpointGroup)
- dstMetadata, dstMetadataMask := DstGroupMetadata(rule.DstEndpointGroup)
- metadata := srcMetadata | dstMetadata
- metadataMask := srcMetadataMask | dstMetadataMask
- md = &metadata
- mdm = &metadataMask
- } else if rule.SrcEndpointGroup != 0 {
- srcMetadata, srcMetadataMask := SrcGroupMetadata(rule.SrcEndpointGroup)
- md = &srcMetadata
- mdm = &srcMetadataMask
- } else if rule.DstEndpointGroup != 0 {
- dstMetadata, dstMetadataMask := DstGroupMetadata(rule.DstEndpointGroup)
- md = &dstMetadata
- mdm = &dstMetadataMask
+ updateMetadata := func(meta uint64, mask uint64) (*uint64, *uint64) {
+ metadata |= meta
+ metadataMask |= mask
+ return &metadata, &metadataMask
}
+ // parse source/dst endpoint tenants and groups
+ var srcVrfId *uint16
+ var dstVrfId *uint16
+ if rule.SrcVrf != "" {
+ srcVrfId = self.agent.getvrfId(rule.SrcVrf)
+ if srcVrfId == nil {
+ errMsg := fmt.Sprintf("VRF %s was not found", rule.SrcVrf)
+ log.Errorf(errMsg)
+ return errors.New(errMsg)
+ }
+ md, mdm = updateMetadata(VrfSrcMetadata(*srcVrfId))
+ }
+ if rule.SrcEndpointGroup != 0 {
+ if rule.SrcVrf == "" {
+ errMsg := fmt.Sprintf("Source group %v was provided without VRF",
+ rule.SrcEndpointGroup)
+ log.Errorf(errMsg)
+ return errors.New(errMsg)
+ }
+ md, mdm = updateMetadata(SrcGroupMetadata(*srcVrfId, rule.SrcEndpointGroup))
+ }
+ if rule.DstVrf != "" {
+ dstVrfId = self.agent.getvrfId(rule.DstVrf)
+ if dstVrfId == nil {
+ errMsg := fmt.Sprintf("VRF %s was not found", rule.DstVrf)
+ log.Errorf(errMsg)
+ return errors.New(errMsg)
+ }
+ md, mdm = updateMetadata(VrfDestMetadata(*dstVrfId))
+ }
+ if rule.DstEndpointGroup != 0 {
+ if rule.DstVrf == "" {
+ errMsg := fmt.Sprintf("Destination group %v was provided without VRF",
+ rule.DstEndpointGroup)
+ log.Errorf(errMsg)
+ return errors.New(errMsg)
+ }
+
+ md, mdm = updateMetadata(DstGroupMetadata(*dstVrfId, rule.DstEndpointGroup))
+ }
// Setup TCP flags
if rule.IpProtocol == 6 && rule.TcpFlags != "" {
switch rule.TcpFlags {
diff --git a/vendor/github.com/contiv/ofnet/util.go b/vendor/github.com/contiv/ofnet/util.go
index 76f57efd1..49b539722 100755
--- a/vendor/github.com/contiv/ofnet/util.go
+++ b/vendor/github.com/contiv/ofnet/util.go
@@ -167,7 +167,8 @@ func buildUDPRespPkt(inEth *protocol.Ethernet, uData []byte) (*protocol.Ethernet
return outEth, nil
}
-// createPortVlanFlow creates port vlan flow based on endpoint metadata
+// createPortVlanFlow creates port vlan flow (traffic coming out of a pod)
+// based on endpoint metadata
func createPortVlanFlow(agent *OfnetAgent, vlanTable, nextTable *ofctrl.Table, endpoint *OfnetEndpoint) (*ofctrl.Flow, error) {
// Install a flow entry for vlan mapping
portVlanFlow, err := vlanTable.NewFlow(ofctrl.FlowMatch{
@@ -179,16 +180,24 @@ func createPortVlanFlow(agent *OfnetAgent, vlanTable, nextTable *ofctrl.Table, e
return nil, err
}
- //set vrf id as METADATA
+ // set vrf id as METADATA for both source and destination
+ // this enables traffic to reach same VRF when there are overlapping
+ // IPs across VRFs and apply policy against the source VRF
+ // If IPs are unique and traffic is not isolated to single VRF (kubernetes)
+ // thn the table to set destination group will not match source VRF,
+ // just IP and rewrite the destination VRF
vrfid := agent.getvrfId(endpoint.Vrf)
- metadata, metadataMask := Vrfmetadata(*vrfid)
+ metadata, metadataMask := VrfSrcMetadata(*vrfid)
+ destMetadata, destMetadataMask := VrfDestMetadata(*vrfid)
+ metadata = metadata | destMetadata
+ metadataMask = metadataMask | destMetadataMask
// set source EPG id if required
if endpoint.EndpointGroup != 0 {
- srcMetadata, srcMetadataMask := SrcGroupMetadata(endpoint.EndpointGroup)
- metadata = metadata | srcMetadata
- metadataMask = metadataMask | srcMetadataMask
-
+ srcMetadata, srcMetadataMask := SrcGroupMetadata(*vrfid, endpoint.EndpointGroup)
+ dstMetadata, dstMetadataMask := DstGroupMetadata(*vrfid, endpoint.EndpointGroup)
+ metadata = metadata | srcMetadata | dstMetadata
+ metadataMask = metadataMask | srcMetadataMask | dstMetadataMask
}
// set vlan if required
@@ -238,16 +247,24 @@ func createDscpFlow(agent *OfnetAgent, vlanTable, nextTable *ofctrl.Table, endpo
return nil, nil, err
}
- //set vrf id as METADATA
+ // set vrf id as METADATA for both source and destination
+ // this enables traffic to reach same VRF when there are overlapping
+ // IPs across VRFs and apply policy against the source VRF
+ // If IPs are unique and traffic is not isolated to single VRF (kubernetes)
+ // thn the table to set destination group will not match source VRF,
+ // just IP and rewrite the destination VRF
vrfid := agent.getvrfId(endpoint.Vrf)
- metadata, metadataMask := Vrfmetadata(*vrfid)
+ metadata, metadataMask := VrfSrcMetadata(*vrfid)
+ destMetadata, destMetadataMask := VrfDestMetadata(*vrfid)
+ metadata = metadata | destMetadata
+ metadataMask = metadataMask | destMetadataMask
// set source EPG id if required
if endpoint.EndpointGroup != 0 {
- srcMetadata, srcMetadataMask := SrcGroupMetadata(endpoint.EndpointGroup)
- metadata = metadata | srcMetadata
- metadataMask = metadataMask | srcMetadataMask
-
+ srcMetadata, srcMetadataMask := SrcGroupMetadata(*vrfid, endpoint.EndpointGroup)
+ dstMetadata, dstMetadataMask := DstGroupMetadata(*vrfid, endpoint.EndpointGroup)
+ metadata = metadata | srcMetadata | dstMetadata
+ metadataMask = metadataMask | srcMetadataMask | dstMetadataMask
}
// set vlan if required
diff --git a/vendor/github.com/contiv/ofnet/vlrouter.go b/vendor/github.com/contiv/ofnet/vlrouter.go
index c8b8f40d1..e95665b97 100755
--- a/vendor/github.com/contiv/ofnet/vlrouter.go
+++ b/vendor/github.com/contiv/ofnet/vlrouter.go
@@ -633,7 +633,7 @@ func (vl *Vlrouter) AddEndpoint(endpoint *OfnetEndpoint) error {
}
//set vrf id as METADATA
- //metadata, metadataMask := Vrfmetadata(*vrfid)
+ //metadata, metadataMask := VrfDestMetadata(*vrfid)
outPort, err := vl.ofSwitch.OutputPort(endpoint.PortNo)
if err != nil {
@@ -787,7 +787,7 @@ func (vl *Vlrouter) AddRemoteIpv6Flow(endpoint *OfnetEndpoint) error {
}
//set vrf id as METADATA
- //metadata, metadataMask := Vrfmetadata(*vrfid)
+ //metadata, metadataMask := VrfDestMetadata(*vrfid)
outPort, err := vl.ofSwitch.OutputPort(endpoint.PortNo)
if err != nil {
diff --git a/vendor/github.com/contiv/ofnet/vrouter.go b/vendor/github.com/contiv/ofnet/vrouter.go
index 37274f8e3..6a53204a4 100755
--- a/vendor/github.com/contiv/ofnet/vrouter.go
+++ b/vendor/github.com/contiv/ofnet/vrouter.go
@@ -263,7 +263,7 @@ func (self *Vrouter) AddLocalEndpoint(endpoint OfnetEndpoint) error {
return errors.New("Invalid vrf name")
}
- vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+ vrfmetadata, vrfmetadataMask := VrfDestMetadata(*vrfid)
// Install the IP address
ipFlow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
@@ -417,7 +417,7 @@ func (self *Vrouter) RemoveLocalEndpoint(endpoint OfnetEndpoint) error {
flowId := self.agent.getEndpointIdByIpVlan(endpoint.IpAddr, endpoint.Vlan)
ipFlow := self.flowDb[flowId]
if ipFlow == nil {
- log.Errorf("Error finding the flow for endpoint: %+v", endpoint)
+ log.Errorf("Error finding the flow to remove for local endpoint by IP and VLAN: %+v", endpoint)
return errors.New("Flow not found")
}
@@ -575,7 +575,7 @@ func (self *Vrouter) AddLocalIpv6Flow(endpoint OfnetEndpoint) error {
}
//Ip table look up will be vrf,ip
- vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+ vrfmetadata, vrfmetadataMask := VrfDestMetadata(*vrfid)
// Install the IPv6 address
ipv6Flow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
Priority: FLOW_MATCH_PRIORITY,
@@ -625,7 +625,7 @@ func (self *Vrouter) RemoveLocalIpv6Flow(endpoint OfnetEndpoint) error {
flowId := self.agent.getEndpointIdByIpVlan(endpoint.Ipv6Addr, endpoint.Vlan)
ipv6Flow := self.flowDb[flowId]
if ipv6Flow == nil {
- log.Errorf("Error finding the flow for endpoint: %+v", endpoint)
+ log.Errorf("Error finding the ipv6 flow by IP and VLAN for local endpoint: %+v", endpoint)
return errors.New("Flow not found")
}
@@ -704,10 +704,11 @@ func (self *Vrouter) AddVtepPort(portNo uint32, remoteIp net.IP) error {
}
//set vrf id as METADATA
- vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+ vrfmetadata, vrfmetadataMask := VrfSrcMetadata(*vrfid)
+ dstVrfMetadata, dstVrfMetadataMask := VrfDestMetadata(*vrfid)
- metadata := METADATA_RX_VTEP | vrfmetadata
- metadataMask := METADATA_RX_VTEP | vrfmetadataMask
+ metadata := METADATA_RX_VTEP | vrfmetadata | dstVrfMetadata
+ metadataMask := METADATA_RX_VTEP | vrfmetadataMask | dstVrfMetadataMask
portVlanFlow.SetMetadata(metadata, metadataMask)
@@ -800,7 +801,7 @@ func (self *Vrouter) AddVlan(vlanId uint16, vni uint32, vrf string) error {
}
//set vrf id as METADATA
- vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+ vrfmetadata, vrfmetadataMask := VrfSrcMetadata(*vrfid)
// Set the metadata to indicate packet came in from VTEP port
metadata := METADATA_RX_VTEP | vrfmetadata
@@ -873,7 +874,7 @@ func (self *Vrouter) AddEndpoint(endpoint *OfnetEndpoint) error {
}
//set vrf id as METADATA
- metadata, metadataMask := Vrfmetadata(*vrfid)
+ metadata, metadataMask := VrfDestMetadata(*vrfid)
// Install the IP address
ipFlow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
@@ -934,7 +935,7 @@ func (self *Vrouter) RemoveEndpoint(endpoint *OfnetEndpoint) error {
flowId := self.agent.getEndpointIdByIpVlan(endpoint.IpAddr, endpoint.Vlan)
ipFlow := self.flowDb[flowId]
if ipFlow == nil {
- log.Errorf("Error finding the flow for endpoint: %+v", endpoint)
+ log.Errorf("Error finding the flow to remove by IP and VLAN for endpoint: %+v", endpoint)
return errors.New("Flow not found")
}
@@ -990,7 +991,7 @@ func (self *Vrouter) AddRemoteIpv6Flow(endpoint *OfnetEndpoint) error {
}
//set vrf id as METADATA
- metadata, metadataMask := Vrfmetadata(*vrfid)
+ metadata, metadataMask := VrfDestMetadata(*vrfid)
// Install the IP address
ipv6Flow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
@@ -1040,7 +1041,7 @@ func (self *Vrouter) RemoveRemoteIpv6Flow(endpoint *OfnetEndpoint) error {
flowId := self.agent.getEndpointIdByIpVlan(endpoint.Ipv6Addr, endpoint.Vlan)
ipv6Flow := self.flowDb[flowId]
if ipv6Flow == nil {
- log.Errorf("Error finding the flow for endpoint: %+v", endpoint)
+ log.Errorf("Error finding the IPv6 flow for removal by IP and VLAN for endpoint: %+v", endpoint)
return errors.New("Flow not found")
}
@@ -1302,9 +1303,24 @@ func (self *Vrouter) processArp(pkt protocol.Ethernet, inPort uint32) {
}
}
-func Vrfmetadata(vrfid uint16) (uint64, uint64) {
- metadata := uint64(vrfid) << 32
- metadataMask := uint64(0xFF00000000)
+func VrfDestMetadata(vrfid uint16) (uint64, uint64) {
+ // 1 bit for VTEP, 16 for group
+ metadata := uint64(vrfid) << 17
+ // 14 bits shifted 1 for vtep flag and 16 for group
+ // format((((1<<14))-1)<<(1+16), 'x')
+ metadataMask := uint64(0x7ffe0000)
+ metadata = metadata & metadataMask
+
+ return metadata, metadataMask
+}
+
+func VrfSrcMetadata(vrfid uint16) (uint64, uint64) {
+ // 1 bit for VTEP, 30 for dest tenant+group, 16 for group
+ metadata := uint64(vrfid) << 47
+ // 14 bits shifted 1 for vtep flag and 30 for dest tenant+group
+ // and 16 for source group
+ // format((((1<<14))-1)<<(1+30+16), 'x')
+ metadataMask := uint64(0x1FFF800000000000)
metadata = metadata & metadataMask
return metadata, metadataMask
diff --git a/vendor/github.com/contiv/ofnet/vxlanBridge.go b/vendor/github.com/contiv/ofnet/vxlanBridge.go
index 889f7d58e..168c5392e 100755
--- a/vendor/github.com/contiv/ofnet/vxlanBridge.go
+++ b/vendor/github.com/contiv/ofnet/vxlanBridge.go
@@ -490,10 +490,11 @@ func (self *Vxlan) AddVtepPort(portNo uint32, remoteIp net.IP) error {
return fmt.Errorf("Unable to find vrf for vlan %v", *vlan)
}
//set vrf id as METADATA
- vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+ vrfmetadata, vrfmetadataMask := VrfSrcMetadata(*vrfid)
+ dstVrfMetadata, dstVrfMetadataMask := VrfDestMetadata(*vrfid)
- metadata := METADATA_RX_VTEP | vrfmetadata
- metadataMask := METADATA_RX_VTEP | vrfmetadataMask
+ metadata := METADATA_RX_VTEP | vrfmetadata | dstVrfMetadata
+ metadataMask := METADATA_RX_VTEP | vrfmetadataMask | dstVrfMetadataMask
portVlanFlow.SetMetadata(metadata, metadataMask)
@@ -620,10 +621,11 @@ func (self *Vxlan) AddVlan(vlanId uint16, vni uint32, vrf string) error {
return fmt.Errorf("Unable to find vrf for vlan %v", *vlan)
}
//set vrf id as METADATA
- vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+ vrfmetadata, vrfmetadataMask := VrfSrcMetadata(*vrfid)
+ dstVrfMetadata, dstVrfMetadataMask := VrfDestMetadata(*vrfid)
- metadata := METADATA_RX_VTEP | vrfmetadata
- metadataMask := METADATA_RX_VTEP | vrfmetadataMask
+ metadata := METADATA_RX_VTEP | vrfmetadata | dstVrfMetadata
+ metadataMask := METADATA_RX_VTEP | vrfmetadataMask | dstVrfMetadataMask
portVlanFlow.SetMetadata(metadata, metadataMask)