/** * The default rule is to match on anything. */ public FirewallRule() { this.dpid = DatapathId.NONE; this.in_port = OFPort.ANY; this.dl_src = MacAddress.NONE; this.dl_dst = MacAddress.NONE; this.dl_type = EthType.NONE; this.nw_src_prefix_and_mask = IPv4AddressWithMask.NONE; this.nw_dst_prefix_and_mask = IPv4AddressWithMask.NONE; this.nw_proto = IpProtocol.NONE; this.tp_src = TransportPort.NONE; this.tp_dst = TransportPort.NONE; this.any_dpid = true; this.any_in_port = true; this.any_dl_src = true; this.any_dl_dst = true; this.any_dl_type = true; this.any_nw_src = true; this.any_nw_dst = true; this.any_nw_proto = true; this.any_tp_src = true; this.any_tp_dst = true; this.priority = 0; this.action = FirewallAction.ALLOW; this.ruleid = 0; }
@Test public void testSerializeWithoutPayload() { byte[] expected = new byte[] { 0x64, 0x2B, 0x16, (byte) 0x95, 0x00, 0x00, 0x11, (byte) 0xE1, (byte) 0xFE, (byte) 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7A, (byte) 0xC5, (byte) 0xFF, (byte) 0xFE, 0x2E, 0x77, 0x35, (byte) 0xFE, (byte) 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x5D, (byte) 0xFF, (byte) 0xFE, (byte) 0xC2, 0x30, (byte) 0xFD }; IPv6 packet = (new IPv6()) .setTrafficClass((byte) 0x42) .setFlowLabel(0xB1695) .setPayloadLength((short) 0) .setNextHeader(IpProtocol.of((short) 0x11)) .setHopLimit((byte) 0xE1) .setSourceAddress(IPv6Address.of("fe80::7a:c5ff:fe2e:7735")) .setDestinationAddress(IPv6Address.of("fe80::77:5dff:fec2:30fd")); byte[] actual = packet.serialize(); assertTrue(Arrays.equals(expected, actual)); }
@Test public void testRuleDeletion() throws Exception { // add TCP rule FirewallRule rule = new FirewallRule(); rule.nw_proto = IpProtocol.TCP; rule.any_nw_proto = false; rule.priority = 1; firewall.addRule(rule); int rid = rule.ruleid; List<Map<String, Object>> rulesFromStorage = firewall.getStorageRules(); assertEquals(1, rulesFromStorage.size()); assertEquals(Integer.parseInt((String)rulesFromStorage.get(0).get("ruleid")), rid); // delete rule firewall.deleteRule(rid); rulesFromStorage = firewall.getStorageRules(); assertEquals(0, rulesFromStorage.size()); }
@Test public void testFirewallDisabled() throws Exception { // firewall isn't enabled by default // so, it shouldn't make any decision // add TCP rule FirewallRule rule = new FirewallRule(); rule.nw_proto = IpProtocol.TCP; rule.any_nw_proto = false; rule.priority = 1; firewall.addRule(rule); this.setPacketIn(tcpPacket); firewall.receive(sw, this.packetIn, cntx); verify(sw); assertEquals(1, firewall.rules.size()); IRoutingDecision decision = IRoutingDecision.rtStore.get(cntx, IRoutingDecision.CONTEXT_DECISION); assertNull(decision); }
public FlowRecord(IPv6Address srcAddr, IPv6Address dstAddr, TransportPort srcPort, TransportPort dstPort, IpProtocol prot, byte tos, int input, int pkts, int octs, long first, long last, byte tcpflags, int drops, int type, long timestamp) { this.srcAddr = srcAddr; this.dstAddr = dstAddr; this.srcPort = srcPort; this.dstPort = dstPort; this.prot = prot; this.tos = tos; this.input = input; this.pkts = pkts; this.octs = octs; this.first = first; this.last = last; this.tcpflags = tcpflags; this.drops = drops; this.type = type; this.timestamp = timestamp; }
public FlowPersistence(IPv6Address srcAddr, IPv6Address dstAddr, TransportPort srcPort, TransportPort dstPort, IpProtocol prot, byte tos, int input, int pkts, int octs, long first, long last, byte tcpflags, int drops, int type, long timestamp) { this.srcAddr = srcAddr; this.dstAddr = dstAddr; this.srcPort = srcPort; this.dstPort = dstPort; this.prot = prot; this.tos = tos; this.input = input; this.pkts = pkts; this.octs = octs; this.first = first; this.last = last; this.tcpflags = tcpflags; this.drops = drops; this.type = type; this.timestamp = timestamp; }
public static void main(String []args){ IPv6Address srcAddr = IPv6Address.of(11L, 11L); IPv6Address dstAddr = IPv6Address.of(12L,12L); TransportPort srcPort = TransportPort.of(11); TransportPort dstPort = TransportPort.of(12); //int prot = 67; IpProtocol prot = IpProtocol.of((byte)67); byte tos = 1; int input= 1 ; int pkts=1212; int octs=123123; long first=System.currentTimeMillis(); long last= System.currentTimeMillis(); byte tcpflags= 11; int drops= 1223; int type =2;//因为何种原因而不再活跃 long timestamp= System.currentTimeMillis();// FlowPersistence f = new FlowPersistence(srcAddr,dstAddr,srcPort,dstPort,prot,tos,input,pkts ,octs,first,last,tcpflags,drops,type,timestamp); FlowStatisticsDAO fsDAO = new FlowStatisticsDAOImpl(); fsDAO.insertFlow(f); }
protected IPacket getPacket() { UDP udp = new UDP() .setDestinationPort( TransportPort.of(PathVerificationService.VERIFICATION_PACKET_UDP_PORT)) .setSourcePort( TransportPort.of(PathVerificationService.VERIFICATION_PACKET_UDP_PORT)); VerificationPacket verificationPacket = new VerificationPacket() .setChassisId(new LLDPTLV().setType((byte) 1).setLength((short) 7) .setValue(new byte[] {0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01})) .setPortId(new LLDPTLV().setType((byte) 2).setLength((short) 3) .setValue(new byte[] {0x02, 0x00, 0x01})) .setTtl(new LLDPTLV().setType((byte) 3).setLength((short) 2) .setValue(new byte[] {0x00, 0x78})); udp.setPayload(new Data(verificationPacket.serialize())); IPv4 ip = new IPv4() .setSourceAddress("192.168.0.1") .setDestinationAddress(PathVerificationService.VERIFICATION_PACKET_IP_DST) .setProtocol(IpProtocol.UDP); Ethernet eth = new Ethernet() .setDestinationMACAddress("AA:BB:CC:DD:EE:FF") .setSourceMACAddress("11:22:33:44:55:66") .setEtherType(EthType.IPv4); eth.setPayload(ip); ip.setPayload(udp); return eth; }
@Override public boolean isICMP(FPContext cntx) { FloodlightContext flCntx = cntx.getFlowContext(); Ethernet eth = IFloodlightProviderService.bcStore.get(flCntx,IFloodlightProviderService.CONTEXT_PI_PAYLOAD); if(eth.getEtherType() == EthType.IPv4) { IPv4 ipv4 = (IPv4) eth.getPayload(); return (ipv4.getProtocol() == IpProtocol.ICMP); } else { return false; } }
@Override public boolean isTCP(FPContext cntx) { FloodlightContext flCntx = cntx.getFlowContext(); Ethernet eth = IFloodlightProviderService.bcStore.get(flCntx,IFloodlightProviderService.CONTEXT_PI_PAYLOAD); if(eth.getEtherType() == EthType.IPv4) { IPv4 ipv4 = (IPv4) eth.getPayload(); return (ipv4.getProtocol() == IpProtocol.TCP); } else { return false; } }
@Override public boolean isUDP(FPContext cntx) { FloodlightContext flCntx = cntx.getFlowContext(); Ethernet eth = IFloodlightProviderService.bcStore.get(flCntx,IFloodlightProviderService.CONTEXT_PI_PAYLOAD); if(eth.getEtherType() == EthType.IPv4) { IPv4 ipv4 = (IPv4) eth.getPayload(); return (ipv4.getProtocol() == IpProtocol.UDP); } else { return false; } }
public IPv6() { super(); this.version = 6; nextHeader = IpProtocol.NONE; sourceAddress = IPv6Address.NONE; destinationAddress = IPv6Address.NONE; }
/** * Default constructor that sets the version to 4. */ public IPv4() { super(); this.version = 4; isTruncated = false; isFragment = false; protocol = IpProtocol.NONE; sourceAddress = IPv4Address.NONE; destinationAddress = IPv4Address.NONE; }
@Override public void switchAdded(DatapathId dpid) { /* Insert static flows on all ports of the switch to redirect * DHCP client --> DHCP DHCPServer traffic to the controller. * DHCP client's operate on UDP port 67 */ IOFSwitch sw = switchService.getSwitch(dpid); //fix concurrency flaw if (sw == null){ return; } OFFlowAdd.Builder flow = sw.getOFFactory().buildFlowAdd(); Match.Builder match = sw.getOFFactory().buildMatch(); ArrayList<OFAction> actionList = new ArrayList<OFAction>(); OFActionOutput.Builder action = sw.getOFFactory().actions().buildOutput(); for (OFPortDesc port : sw.getPorts()) { match.setExact(MatchField.IN_PORT, port.getPortNo()); match.setExact(MatchField.ETH_TYPE, EthType.IPv4); match.setExact(MatchField.IP_PROTO, IpProtocol.UDP); match.setExact(MatchField.UDP_SRC, UDP.DHCP_CLIENT_PORT); action.setMaxLen(0xffFFffFF); action.setPort(OFPort.CONTROLLER); actionList.add(action.build()); flow.setBufferId(OFBufferId.NO_BUFFER); flow.setHardTimeout(0); flow.setIdleTimeout(0); flow.setOutPort(OFPort.CONTROLLER); flow.setActions(actionList); flow.setMatch(match.build()); flow.setPriority(32767); sfp.addFlow("dhcp-port---" + port.getPortNo().getPortNumber() + "---(" + port.getName() + ")", flow.build(), sw.getId()); } }
@Test public void testSerialize() { byte[] expected = new byte[] { 0x45, 0x00, 0x00, 0x14, 0x5e, 0x4e, 0x00, 0x00, 0x3f, 0x06, 0x31, 0x2e, (byte) 0xac, 0x18, 0x4a, (byte) 0xdf, (byte) 0xab, 0x40, 0x4a, 0x30 }; IPv4 packet = new IPv4() .setIdentification((short) 24142) .setTtl((byte) 63) .setProtocol(IpProtocol.of((byte) 0x06)) .setSourceAddress("172.24.74.223") .setDestinationAddress("171.64.74.48"); byte[] actual = packet.serialize(); assertTrue(Arrays.equals(expected, actual)); }
@Test public void testReadRulesFromStorage() throws Exception { // add 2 rules first FirewallRule rule = new FirewallRule(); rule.in_port = OFPort.of(2); rule.dl_src = MacAddress.of("00:00:00:00:00:01"); rule.dl_dst = MacAddress.of("00:00:00:00:00:02"); rule.priority = 1; rule.action = FirewallRule.FirewallAction.DROP; firewall.addRule(rule); rule = new FirewallRule(); rule.in_port = OFPort.of(3); rule.dl_src = MacAddress.of("00:00:00:00:00:02"); rule.dl_dst = MacAddress.of("00:00:00:00:00:01"); rule.nw_proto = IpProtocol.TCP; rule.any_nw_proto = false; rule.tp_dst = TransportPort.of(80); rule.priority = 2; rule.action = FirewallRule.FirewallAction.ALLOW; firewall.addRule(rule); List<FirewallRule> rules = firewall.readRulesFromStorage(); // verify rule 1 FirewallRule r = rules.get(0); assertEquals(r.in_port, OFPort.of(2)); assertEquals(r.priority, 1); assertEquals(r.dl_src, MacAddress.of("00:00:00:00:00:01")); assertEquals(r.dl_dst, MacAddress.of("00:00:00:00:00:02")); assertEquals(r.action, FirewallRule.FirewallAction.DROP); // verify rule 2 r = rules.get(1); assertEquals(r.in_port, OFPort.of(3)); assertEquals(r.priority, 2); assertEquals(r.dl_src, MacAddress.of("00:00:00:00:00:02")); assertEquals(r.dl_dst, MacAddress.of("00:00:00:00:00:01")); assertEquals(r.nw_proto, IpProtocol.TCP); assertEquals(r.tp_dst, TransportPort.of(80)); assertEquals(r.any_nw_proto, false); assertEquals(r.action, FirewallRule.FirewallAction.ALLOW); }
@Test public void testRuleInsertionIntoStorage() throws Exception { // add TCP rule FirewallRule rule = new FirewallRule(); rule.nw_proto = IpProtocol.TCP; rule.any_nw_proto = false; rule.priority = 1; firewall.addRule(rule); List<Map<String, Object>> rulesFromStorage = firewall.getStorageRules(); assertEquals(1, rulesFromStorage.size()); assertEquals(Integer.parseInt((String)rulesFromStorage.get(0).get("ruleid")), rule.ruleid); }
@Test public void testSimpleAllowRule() throws Exception { // enable firewall first firewall.enableFirewall(true); // add TCP rule FirewallRule rule = new FirewallRule(); rule.dl_type = EthType.IPv4; rule.any_dl_type = false; rule.nw_proto = IpProtocol.TCP; rule.any_nw_proto = false; // source is IP 192.168.1.2 rule.nw_src_prefix_and_mask = IPv4AddressWithMask.of("192.168.1.2/32"); rule.any_nw_src = false; // dest is network 192.168.1.0/24 rule.nw_dst_prefix_and_mask = IPv4AddressWithMask.of("192.168.1.0/24"); rule.any_nw_dst = false; rule.priority = 1; firewall.addRule(rule); // simulate a packet-in events this.setPacketIn(tcpPacketReply); firewall.receive(sw, this.packetIn, cntx); verify(sw); IRoutingDecision decision = IRoutingDecision.rtStore.get(cntx, IRoutingDecision.CONTEXT_DECISION); assertEquals(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD, decision.getRoutingAction()); // clear decision IRoutingDecision.rtStore.remove(cntx, IRoutingDecision.CONTEXT_DECISION); this.setPacketIn(tcpPacket); firewall.receive(sw, this.packetIn, cntx); verify(sw); decision = IRoutingDecision.rtStore.get(cntx, IRoutingDecision.CONTEXT_DECISION); assertEquals(IRoutingDecision.RoutingAction.DROP, decision.getRoutingAction()); }
@Test public void testLayer2Rule() throws Exception { // enable firewall first firewall.enableFirewall(true); // add L2 rule FirewallRule rule = new FirewallRule(); rule.dl_src = MacAddress.of("00:44:33:22:11:00"); rule.any_dl_src = false; rule.dl_dst = MacAddress.of("00:11:22:33:44:55"); rule.any_dl_dst = false; rule.priority = 1; firewall.addRule(rule); // add TCP deny all rule rule = new FirewallRule(); rule.nw_proto = IpProtocol.TCP; rule.any_nw_proto = false; rule.priority = 2; rule.action = FirewallRule.FirewallAction.DROP; firewall.addRule(rule); // simulate a packet-in event this.setPacketIn(tcpPacket); firewall.receive(sw, this.packetIn, cntx); verify(sw); IRoutingDecision decision = IRoutingDecision.rtStore.get(cntx, IRoutingDecision.CONTEXT_DECISION); assertEquals(decision.getRoutingAction(), IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD); }
public int querySourceId(MacAddress mac, IPv4Address ip, IpProtocol protocol, TransportPort port) { if (!oPolicy.doRewrite(ObfuscationPolicy.Field.MAC_SRC)) mac = MacAddress.of(1); if (!oPolicy.doRewrite(ObfuscationPolicy.Field.IP_SRC)) ip = IPv4Address.of(1); if (!(oPolicy.doRewrite(ObfuscationPolicy.Field.TP_SRC) && oPolicy.doRewrite(port.getPort()))) port = TransportPort.of(0); return queryHostId(0, mac, ip, protocol, port); }
public int queryDestinationId(MacAddress mac, IPv4Address ip, IpProtocol protocol, TransportPort port) { if (!oPolicy.doRewrite(ObfuscationPolicy.Field.MAC_DST)) mac = MacAddress.of(1); if (!oPolicy.doRewrite(ObfuscationPolicy.Field.IP_DST)) ip = IPv4Address.of(1); if (!(oPolicy.doRewrite(ObfuscationPolicy.Field.TP_DST) && oPolicy.doRewrite(port.getPort()))) port = TransportPort.of(0); return queryHostId(1, mac, ip, protocol, port); }
@Override public void switchAdded(DatapathId dpid) { /* Insert static flows on all ports of the switch to redirect * DHCP client --> DHCP DHCPServer traffic to the controller. * DHCP client's operate on UDP port 67 */ IOFSwitch sw = switchService.getSwitch(dpid); OFFlowAdd.Builder flow = sw.getOFFactory().buildFlowAdd(); Match.Builder match = sw.getOFFactory().buildMatch(); ArrayList<OFAction> actionList = new ArrayList<OFAction>(); OFActionOutput.Builder action = sw.getOFFactory().actions().buildOutput(); for (OFPortDesc port : sw.getPorts()) { match.setExact(MatchField.IN_PORT, port.getPortNo()); match.setExact(MatchField.ETH_TYPE, EthType.IPv4); match.setExact(MatchField.IP_PROTO, IpProtocol.UDP); match.setExact(MatchField.UDP_SRC, UDP.DHCP_CLIENT_PORT); action.setMaxLen(0xffFFffFF); action.setPort(OFPort.CONTROLLER); actionList.add(action.build()); flow.setBufferId(OFBufferId.NO_BUFFER); flow.setHardTimeout(0); flow.setIdleTimeout(0); flow.setOutPort(OFPort.CONTROLLER); flow.setActions(actionList); flow.setMatch(match.build()); flow.setPriority(32767); sfp.addFlow("dhcp-port---" + port.getPortNo().getPortNumber() + "---(" + port.getName() + ")", flow.build(), sw.getId()); } }