Merge pull request #3094 from MichaelWasher/kill_on_exception_with_fi…

…lter_id Add dynamic ACLs for chewie
faucetsdn · Jul 4, 2019 · d4ff92d · d4ff92d
2 parents 20bc25b + 74c4abc
commit d4ff92d
Show file tree

Hide file tree

Showing 8 changed files with 309 additions and 45 deletions.
diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -391,12 +391,16 @@ with the configuration block 'dot1x':
       - Shared secret used by the RADIUS server and the 802.1X speaker. - NOTE: Faucet will only use the config from the first dp
     * - noauth_acl
       - str
-      -
+      - None
       - The name of the defined ACL [refer to acls.yaml for more information] that will be set to all 802.1X ports by default, that is before any user is authenticated. - NOTE: Faucet will only use the config from the first dp
     * - auth_acl
       - str
-      -
+      - None
       - The name of the defined ACL [refer to acls.yaml for more information] that will be set to an 802.1X port when a user authenticates. - NOTE: Faucet will only use the config from the first dp
+    * - dot1x_assigned
+      - boolean
+      - False
+      - True, if this ACL can be dynamically assigned by a RADIUS server during 802.1X authentication.
 
 
 
@@ -450,6 +454,10 @@ OFP port number ranges (eg. 1-6).
       - boolean
       - False
       - Enable 802.1X Mac Authentication Bypass on port (NOTE: Requires dot1x attribute)
+    * - enabled
+      - boolean
+      - True
+      - Enable 802.1X Per User ACLs on port (NOTE: Requires dot1x attribute and ACL with dot1x_assigned)
     * - enabled
       - boolean
       - True

diff --git a/faucet/acl.py b/faucet/acl.py
@@ -67,10 +67,12 @@ class ACL(Conf):
     defaults = {
         'rules': None,
         'exact_match': False,
+        'dot1x_assigned': False,
     }
     defaults_types = {
         'rules': list,
         'exact_match': bool,
+        'dot1x_assigned': bool,
     }
     rule_types = {
         'cookie': int,
@@ -105,6 +107,7 @@ class ACL(Conf):
     def __init__(self, _id, dp_id, conf):
         self.rules = []
         self.exact_match = None
+        self.dot1x_assigned = None
         self.meter = False
         self.matches = {}
         self.set_fields = set()

diff --git a/faucet/dp.py b/faucet/dp.py
@@ -383,15 +383,13 @@ def _generate_acl_tables(self):
         all_acls = {}
         if self.dot1x:
             # NOTE: All acl's are added to the acl list and then referred to later by ports
-            all_acls['port_acl'] = [PORT_ACL_8021X, MAB_ACL_8021X]
+            acls = [PORT_ACL_8021X, MAB_ACL_8021X,
+                    self.acls.get(self.dot1x.get('auth_acl'), None),
+                    self.acls.get(self.dot1x.get('noauth_acl'), None)
+                ]
 
-            auth_acl = self.acls.get(self.dot1x.get('auth_acl'))
-            noauth_acl = self.acls.get(self.dot1x.get('noauth_acl'))
-
-            if auth_acl:
-                all_acls['port_acl'].append(auth_acl)
-            if noauth_acl:
-                all_acls['port_acl'].append(noauth_acl)
+            acls.extend([acl for acl_name, acl in self.acls.items() if acl.dot1x_assigned])
+            all_acls['port_acl'] = [acl for acl in acls if acl is not None]
 
         for vlan in self.vlans.values():
             if vlan.acls_in:
@@ -1065,28 +1063,34 @@ def resolve_acls():
                     vlan.acls_out = acls
                     verify_acl_exact_match(acls)
             for port in self.ports.values():
-                acls = []
                 if port.acls_in:
+                    acls = []
                     test_config_condition(self.dp_acls, (
                         'dataplane ACLs cannot be used with port ACLs.'))
                     for acl in port.acls_in:
                         resolve_acl(acl, port_num=port.number)
                         acls.append(self.acls[acl])
                         resolved.append(acl)
+                    port.acls_in = acls
+                    verify_acl_exact_match(acls)
+
+                if port.dot1x_dyn_acl:
+                    acl_names = [acl_name for acl_name, acl in self.acls.items()
+                                 if acl.dot1x_assigned]
+
+                    for acl_name in acl_names:
+                        resolve_acl(acl_name, port_num=port.number)
+                        resolved.append(acl_name)
 
                 if port.dot1x_acl:
-                    if self.dot1x.get('noauth_acl'):
-                        noauth_acl = self.dot1x.get('noauth_acl')
-                        resolve_acl(noauth_acl, port_num=port.number)
-                        resolved.append(noauth_acl)
-
-                    if self.dot1x.get('auth_acl'):
-                        auth_acl = self.dot1x.get('auth_acl')
-                        resolve_acl(auth_acl, port_num=port.number)
-                        resolved.append(auth_acl)
-
-                port.acls_in = acls
-                verify_acl_exact_match(acls)
+                    acl_names = [self.dot1x.get('auth_acl'),
+                                 self.dot1x.get('noauth_acl')]
+
+                    for acl_name in acl_names:
+                        if self.acls.get(acl_name, None):
+                            resolve_acl(acl_name, port_num=port.number)
+                            resolved.append(acl_name)
+
             if self.dp_acls:
                 acls = []
                 for acl in self.acls:

diff --git a/faucet/faucet_dot1x.py b/faucet/faucet_dot1x.py
@@ -85,10 +85,10 @@ def _get_valve_and_port(self, port_id):
         valve, port = self.mac_to_port[port_id]
         return (valve, port)
 
-    def _get_acls(self, dp):
+    def _get_acls(self, datapath):
         """Returns tuple of acl values"""
-        auth_acl = dp.acls.get(self._auth_acl_name)
-        noauth_acl = dp.acls.get(self._noauth_acl_name)
+        auth_acl = datapath.acls.get(self._auth_acl_name)
+        noauth_acl = datapath.acls.get(self._noauth_acl_name)
         return (auth_acl, noauth_acl)
 
     # Loggin Methods
@@ -118,8 +118,8 @@ def auth_handler(self, address, port_id, *args, **kwargs):  # pylint: disable=un
 
         self.log_auth_event(valve, port_num, address_str, 'success')
         flowmods = self._get_login_flowmod(dot1x_port, valve, address_str,
-                                           kwargs.get('vlan_name', None))
-
+                                           kwargs.get('vlan_name', None),
+                                           kwargs.get('filter_id', None))
         if flowmods:
             self._send_flow_msgs(valve, flowmods)
 
@@ -331,23 +331,34 @@ def _get_logoff_flowmod(self, dot1x_port, valve, mac_str):
             self._add_unauthenticated_flowmod(dot1x_port, valve))
         return flowmods
 
-    def _get_login_flowmod(self, dot1x_port, valve, mac_str, vlan_name):
+    def _get_login_flowmod(self, dot1x_port, valve,  # pylint: disable=too-many-arguments
+                           mac_str, vlan_name, acl_name):
         """Return flowmods required to login port"""
         flowmods = []
         flowmods.extend(
             self._del_unauthenticated_flowmod(dot1x_port, valve))
         flowmods.extend(
-            self._add_authenticated_flowmod(dot1x_port, valve, mac_str, vlan_name))
+            self._add_authenticated_flowmod(dot1x_port, valve, mac_str, vlan_name, acl_name))
         return flowmods
 
-    def _add_authenticated_flowmod(self, dot1x_port, valve, mac_str, vlan_name):
+    def _add_authenticated_flowmod(self, dot1x_port, valve,  # pylint: disable=too-many-arguments
+                                   mac_str, vlan_name, acl_name):
         """Return flowmods for successful authentication on port"""
         port_num = dot1x_port.number
         flowmods = []
         acl_manager = valve.acl_manager
 
-        if dot1x_port.dot1x_acl:
+        acl = valve.dp.acls.get(acl_name, None)
+        if dot1x_port.dot1x_dyn_acl and acl:
+            self.logger.info("DOT1X_DYN_ACL: Adding ACL '{0}' for port '{1}'".format(
+                acl_name, port_num))
+            self.logger.debug("DOT1X_DYN_ACL: ACL contents: '{0}'".format(str(acl.__dict__)))
+            flowmods.extend(acl_manager.add_port_acl(acl, port_num, mac_str))
+        elif dot1x_port.dot1x_acl:
             auth_acl, _ = self._get_acls(valve.dp)
+            self.logger.info("DOT1X_PRE_ACL: Adding ACL '{0}' for port '{1}'".format(
+                acl_name, port_num))
+            self.logger.debug("DOT1X_PRE_ACL: ACL contents: '{0}'".format(str(auth_acl.__dict__)))
             flowmods.extend(acl_manager.add_port_acl(auth_acl, port_num, mac_str))
         else:
             flowmods.extend(acl_manager.add_authed_mac(port_num, mac_str))
@@ -365,6 +376,8 @@ def _del_authenticated_flowmod(self, dot1x_port, valve, mac_str):
         if dot1x_port.dot1x_acl:
             auth_acl, _ = self._get_acls(valve.dp)
             flowmods.extend(acl_manager.del_port_acl(auth_acl, port_num, mac_str))
+        elif dot1x_port.dot1x_dyn_acl:
+            flowmods.extend(acl_manager.del_authed_mac(port_num, mac_str, strict=False))
         else:
             flowmods.extend(acl_manager.del_authed_mac(port_num, mac_str))
 

diff --git a/faucet/port.py b/faucet/port.py
@@ -87,7 +87,8 @@ class Port(Conf):
         # If true, expects authentication and default ACLs for 802.1x auth
         'dot1x_mab': False,
         # If true, allows Mac Auth Bypass on port (NOTE: this is less secure as MACs can be spoofed)
-
+        'dot1x_dyn_acl': False,
+        # If true, expects authentication and ACLs with dot1x_assigned flag set
     }
 
     defaults_types = {
@@ -121,6 +122,7 @@ class Port(Conf):
         'dot1x': bool,
         'dot1x_acl': bool,
         'dot1x_mab': bool,
+        'dot1x_dyn_acl': bool,
         'max_lldp_lost': int,
     }
 
@@ -149,6 +151,7 @@ def __init__(self, _id, dp_id, conf=None):
         self.dot1x = None
         self.dot1x_acl = None
         self.dot1x_mab = None
+        self.dot1x_dyn_acl = None
         self.dp_id = None
         self.enabled = None
         self.hairpin = None
@@ -240,6 +243,15 @@ def check_config(self):
         if self.dot1x_mab:
             test_config_condition(not self.dot1x, (
                 '802.1x_MAB requires dot1x to be enabled on the port also'))
+            test_config_condition(self.dot1x_dyn_acl, (
+                '802.1x_ACL cannot be used with 802.1x_DYN_ACL'))
+        if self.dot1x_dyn_acl:
+            test_config_condition(not self.dot1x, (
+                '802.1x_DYN_ACL requires dot1x to be enabled also'))
+            test_config_condition(self.dot1x_acl, (
+                '802.1x_DYN_ACL cannot be used with 802.1x_ACL'))
+            test_config_condition(self.dot1x_acl, (
+                '802.1x_DYN_ACL cannot be used with 802.1x_MAB'))
         if self.mirror:
             test_config_condition(self.tagged_vlans or self.native_vlan, (
                 'mirror port %s cannot have any VLANs assigned' % self))

diff --git a/faucet/valve_acl.py b/faucet/valve_acl.py
@@ -91,9 +91,10 @@ def build_output_actions(acl_table, output_dict):
 
 # TODO: change this, maybe this can be rewritten easily
 # possibly replace with a class for ACLs
-def build_acl_entry(acl_table, rule_conf, meters,
-                    acl_allow_inst, acl_force_port_vlan_inst,
-                    port_num=None, vlan_vid=None):
+def build_acl_entry(  # pylint: disable=too-many-arguments,too-many-branches,too-many-statements
+        acl_table, rule_conf, meters,
+        acl_allow_inst, acl_force_port_vlan_inst,
+        port_num=None, vlan_vid=None):
     """Build flow/groupmods for one ACL rule entry."""
     acl_inst = []
     acl_act = []
@@ -180,15 +181,15 @@ def build_acl_ofmsgs(acls, acl_table,
     return ofmsgs
 
 
-def build_acl_port_of_msgs(acl, vid, port_num, acl_table, goto_table):
+def build_acl_port_of_msgs(acl, vid, port_num, acl_table, goto_table, priority):
     '''A Helper function for building Openflow Mod Messages for Port ACLs'''
     ofmsgs = None
     if acl.rules:
         ofmsgs = build_acl_ofmsgs(
             [acl], acl_table,
             [valve_of.goto_table(goto_table)],
             [valve_of.goto_table(goto_table)],
-            2 ** 16 - 1, acl.meter, acl.exact_match,
+            priority, acl.meter, acl.exact_match,
             vlan_vid=vid, port_num=port_num)
     return ofmsgs
 
@@ -215,6 +216,7 @@ def __init__(self, port_acl_table, vlan_acl_table, egress_acl_table,
         self.vlan_acl_table = vlan_acl_table
         self.egress_acl_table = egress_acl_table
         self.pipeline = pipeline
+        # TODO Rename priorities
         self.acl_priority = self._FILTER_PRIORITY
         self.dot1x_static_rules_priority = self.acl_priority + 1
         self.auth_priority = self._HIGH_PRIORITY
@@ -298,17 +300,17 @@ def add_authed_mac(self, port_num, mac):
             priority=self.auth_priority,
             inst=self.pipeline.accept_to_vlan())]
 
-    def del_authed_mac(self, port_num, mac=None):
+    def del_authed_mac(self, port_num, mac=None, strict=True):
         """remove authed mac address"""
         if mac:
             return [self.port_acl_table.flowdel(
                 self.port_acl_table.match(in_port=port_num, eth_src=mac),
                 priority=self.auth_priority,
-                strict=True)]
+                strict=strict)]
         return [self.port_acl_table.flowdel(
             self.port_acl_table.match(in_port=port_num),
             priority=self.auth_priority,
-            strict=True)]
+            strict=strict)]
 
     def del_port_acl(self, acl, port_num, mac=None):
         """Delete ACL rules for Port"""
@@ -322,7 +324,7 @@ def convert_to_flow_del(ofp_flowmods):
 
         pipeline_vlan_table = self.pipeline.vlan_table
         flowmods = build_acl_port_of_msgs(acl, None, port_num, self.port_acl_table,
-                                          pipeline_vlan_table)
+                                          pipeline_vlan_table, self.auth_priority)
         for flow in flowmods:
             flow.match = add_mac_address_to_match(flow.match, mac)
 
@@ -331,8 +333,8 @@ def convert_to_flow_del(ofp_flowmods):
     def add_port_acl(self, acl, port_num, mac=None):
         """Create ACL openflow rules for Port"""
         pipeline_vlan_table = self.pipeline.vlan_table
-        flowmods = build_acl_port_of_msgs(acl, None, port_num,
-                                          self.port_acl_table, pipeline_vlan_table)
+        flowmods = build_acl_port_of_msgs(acl, None, port_num, self.port_acl_table,
+                                          pipeline_vlan_table, self.auth_priority)
 
         for flow in flowmods:
             flow.match = add_mac_address_to_match(flow.match, mac)