On Sat, Apr 23, 2016 at 10:01 AM, Ariansyah Yutama <[email protected]> wrote: > I am Ariansyah. I want to know more about stateful firewall on RYU, then I > have problem how to code it. > > Do you have any idea how to write the code or do you have sample of the > stateful firewall in RYU?
If you can target ovs 2.5, you can use the NXActionCT to set a connection mark on the outgoing packet, and then use the NXMatch extensions to match the mark for return traffic. But I'm not aware of any example code out there at the moment. An alternative is to use the NXLearn action to install return flows, or if you don't mind not staying all within the datapath (or not using ovs), you can punt the first outgoing packet to the controller, apply the rule you want, then output the packet and a corresponding return flow with a short timeout. Another way, but not technically stateful, is to allow the outgoing traffic, and only allow packets with the ack or rst flags set back in. This however would allow packets in that match but don't really belong to a connection initiated back in, so its not the best option by any stretch. The exact flow set/best way to do it would be highly dependent on what you're trying to accomplish and what platform you're targeting. Happy Hacking! 7-11 ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
