From: Romain Lenglet <romain.leng...@berabera.info>
Modify the nox_core command line arguments to accept the socket bind
address for the ptcp: and pssl: connection methods. This is
particularly important for the ptcp: method, as it can help improving
security and performance in some cases. For instance, if a controller
connects only to datapaths on the same host, using ptcp: and binding
to 127.0.0.1 limits to connections from the localhost. Otherwise,
pssl: must be used, which is less efficient.
---
src/include/openflow.hh | 8 ++++++--
src/lib/openflow.cc | 42 +++++++++++++++++++++++++++++-------------
2 files changed, 35 insertions(+), 15 deletions(-)
diff --git a/src/include/openflow.hh b/src/include/openflow.hh
index 02e6f9f..5248bbb 100644
--- a/src/include/openflow.hh
+++ b/src/include/openflow.hh
@@ -284,13 +284,15 @@ class Passive_tcp_openflow_connection_factory
: public Openflow_connection_factory
{
public:
- Passive_tcp_openflow_connection_factory(uint16_t port);
+ Passive_tcp_openflow_connection_factory(const char* bind_ip,
+ uint16_t port);
Openflow_connection* connect(int& error);
void connect_wait();
std::string to_string();
bool passive() { return true; }
private:
Tcp_socket socket;
+ ipaddr bind_ip;
uint16_t port;
};
@@ -314,7 +316,8 @@ class Passive_ssl_openflow_connection_factory
: public Openflow_connection_factory
{
public:
- Passive_ssl_openflow_connection_factory(uint16_t port, const char *key,
+ Passive_ssl_openflow_connection_factory(const char* bind_ip,
+ uint16_t port, const char *key,
const char *cert,
const char *CAfile);
Openflow_connection* connect(int& error);
@@ -324,6 +327,7 @@ public:
private:
boost::shared_ptr<Ssl_config> config;
Ssl_socket socket;
+ ipaddr bind_ip;
uint16_t port;
};
diff --git a/src/lib/openflow.cc b/src/lib/openflow.cc
index 95251bb..0ebc1d0 100644
--- a/src/lib/openflow.cc
+++ b/src/lib/openflow.cc
@@ -1133,11 +1133,20 @@ Openflow_connection_factory*
Openflow_connection_factory::create(
? atoi(tokens[2].c_str()) : OFP_TCP_PORT;
return new Tcp_openflow_connection_factory(tokens[1], htons(port));
} else if (tokens[0] == "ptcp") {
- uint16_t port = atoi(tokens[1].c_str());
+ if (tokens.size() != 3) {
+ log.err("pssl connection name not in the form ptcp:[IP]:[PORT]");
+ exit(EXIT_FAILURE);
+ }
+ const char* bind_ip = "0.0.0.0";
+ if (tokens[1].size() > 0) {
+ bind_ip = tokens[1].c_str();
+ }
+ uint16_t port = atoi(tokens[2].c_str());
if (!port) {
port = OFP_TCP_PORT;
}
- return new Passive_tcp_openflow_connection_factory(htons(port));
+ return new Passive_tcp_openflow_connection_factory(bind_ip,
+ htons(port));
} else if (tokens[0] == "ssl") {
if (tokens.size() != 6) {
log.err("ssl connection name not in the form
ssl:HOST:[PORT]:KEY:CERT:CAFILE");
@@ -1151,17 +1160,21 @@ Openflow_connection_factory*
Openflow_connection_factory::create(
tokens[1], htons(port), tokens[3].c_str(),
tokens[4].c_str(), tokens[5].c_str());
} else if (tokens[0] == "pssl") {
- if (tokens.size() != 5) {
- log.err("pssl connection name not in the form
pssl:[PORT]:KEY:CERT:CAFILE");
+ if (tokens.size() != 6) {
+ log.err("pssl connection name not in the form
pssl:[IP]:[PORT]:KEY:CERT:CAFILE");
exit(EXIT_FAILURE);
}
- uint16_t port = atoi(tokens[1].c_str());
+ const char* bind_ip = "0.0.0.0";
+ if (tokens[1].size() > 0) {
+ bind_ip = tokens[1].c_str();
+ }
+ uint16_t port = atoi(tokens[2].c_str());
if (!port) {
port = OFP_SSL_PORT;
}
return new Passive_ssl_openflow_connection_factory(
- htons(port), tokens[2].c_str(), tokens[3].c_str(),
- tokens[4].c_str());
+ bind_ip, htons(port), tokens[3].c_str(), tokens[4].c_str(),
+ tokens[5].c_str());
} else if (tokens[0] == "pcap") {
#ifndef HAVE_PCAP
log.err("pcap support not built in. Ensure you have pcap
installed and rebuild");
@@ -1247,11 +1260,12 @@ Tcp_openflow_connection_factory::to_string()
}
Passive_tcp_openflow_connection_factory
-::Passive_tcp_openflow_connection_factory(uint16_t port_)
- : port(port_)
+::Passive_tcp_openflow_connection_factory(const char* bind_ip_,
+ uint16_t port_)
+ : bind_ip(bind_ip_), port(port_)
{
socket.set_reuseaddr();
- int error = socket.bind(htonl(INADDR_ANY), port);
+ int error = socket.bind(bind_ip, port);
if (error) {
throw errno_exception(error, "bind");
}
@@ -1335,17 +1349,19 @@ Ssl_openflow_connection_factory::to_string()
}
Passive_ssl_openflow_connection_factory
-::Passive_ssl_openflow_connection_factory(uint16_t port_,
- const char *key, const char *cert,
+::Passive_ssl_openflow_connection_factory(const char* bind_ip_,
+ uint16_t port_, const char *key,
+ const char *cert,
const char *CAfile)
: config(new Ssl_config(Ssl_config::SSLv3 | Ssl_config::TLSv1,
Ssl_config::AUTHENTICATE_SERVER,
Ssl_config::REQUIRE_CLIENT_CERT,
key, cert, CAfile)),
socket(config),
+ bind_ip(bind_ip_),
port(port_)
{
- int error = socket.bind(htonl(INADDR_ANY), port);
+ int error = socket.bind(bind_ip, port);
if (error) {
throw errno_exception(error, "bind");
}
--
1.7.1
_______________________________________________
nox-dev mailing list
nox-dev@noxrepo.org
http://noxrepo.org/mailman/listinfo/nox-dev_noxrepo.org
