Added drop rules to prevent packets for virtual networks go out

through the physical network

Change-Id: I84dddb0c7ca4764c00566c29c163badc8d5c538f

@@ -196,6 +196,7 @@ public class CordVtnRuleInstaller {
 
 
         populateLocalInPortRule(deviceId, inPort, hostIp);
         populateLocalInPortRule(deviceId, inPort, hostIp);
         populateDirectAccessRule(Ip4Prefix.valueOf(subnet.cidr()), Ip4Prefix.valueOf(subnet.cidr()));
         populateDirectAccessRule(Ip4Prefix.valueOf(subnet.cidr()), Ip4Prefix.valueOf(subnet.cidr()));
+        populateServiceIsolationRule(Ip4Prefix.valueOf(subnet.cidr()));
         populateDstIpRule(deviceId, inPort, dstMac, hostIp, tunnelId, tunnelIp);
         populateDstIpRule(deviceId, inPort, dstMac, hostIp, tunnelId, tunnelIp);
         populateTunnelInRule(deviceId, inPort, dstMac, tunnelId);
         populateTunnelInRule(deviceId, inPort, dstMac, tunnelId);
     }
     }
@@ -785,6 +786,37 @@ public class CordVtnRuleInstaller {
                     .fromApp(appId)
                     .fromApp(appId)
                     .withSelector(selector)
                     .withSelector(selector)
                     .withTreatment(treatment)
                     .withTreatment(treatment)
+                    .withPriority(DEFAULT_PRIORITY)
+                    .forDevice(device.id())
+                    .forTable(TABLE_ACCESS_TYPE)
+                    .makePermanent()
+                    .build();
+
+            processFlowRule(true, flowRuleDirect);
+        }
+    }
+
+    /**
+     * Populates drop rules that does not match any direct access rules but has
+     * destination to a different service network in ACCESS_TYPE table.
+     *
+     * @param dstRange destination ip range
+     */
+    private void populateServiceIsolationRule(Ip4Prefix dstRange) {
+        TrafficSelector selector = DefaultTrafficSelector.builder()
+                .matchEthType(Ethernet.TYPE_IPV4)
+                .matchIPDst(dstRange)
+                .build();
+
+        TrafficTreatment treatment = DefaultTrafficTreatment.builder()
+                .drop()
+                .build();
+
+        for (Device device : deviceService.getAvailableDevices(SWITCH)) {
+            FlowRule flowRuleDirect = DefaultFlowRule.builder()
+                    .fromApp(appId)
+                    .withSelector(selector)
+                    .withTreatment(treatment)
                     .withPriority(LOW_PRIORITY)
                     .withPriority(LOW_PRIORITY)
                     .forDevice(device.id())
                     .forDevice(device.id())
                     .forTable(TABLE_ACCESS_TYPE)
                     .forTable(TABLE_ACCESS_TYPE)
@@ -820,7 +852,7 @@ public class CordVtnRuleInstaller {
                     .fromApp(appId)
                     .fromApp(appId)
                     .withSelector(selector)
                     .withSelector(selector)
                     .withTreatment(treatment)
                     .withTreatment(treatment)
-                    .withPriority(DEFAULT_PRIORITY)
+                    .withPriority(HIGH_PRIORITY)
                     .forDevice(outGroup.getKey())
                     .forDevice(outGroup.getKey())
                     .forTable(TABLE_ACCESS_TYPE)
                     .forTable(TABLE_ACCESS_TYPE)
                     .makePermanent()
                     .makePermanent()