At Sun, 24 Apr 2016 08:31:00 +0000, Jason Kölker wrote: > > On Sat, Apr 23, 2016 at 10:01 AM, Ariansyah Yutama <[email protected]> > wrote: > > I am Ariansyah. I want to know more about stateful firewall on RYU, then I > > have problem how to code it. > > > > Do you have any idea how to write the code or do you have sample of the > > stateful firewall in RYU? > > If you can target ovs 2.5, you can use the NXActionCT to set a > connection mark on the outgoing packet, and then use the NXMatch > extensions to match the mark for return traffic. But I'm not aware of > any example code out there at the moment.
OpenStack Neutron's ovs firewall uses CT and a couple of registers to perform stateful firewalling. The code mostly uses the OVS cli and doesn't make much use of Ryu, but it may serve as a hint how to set up flows. http://git.openstack.org/cgit/openstack/neutron/tree/neutron/agent/linux/openvswitch_firewall http://git.openstack.org/cgit/openstack/neutron/tree/doc/source/devref/openvswitch_firewall.rst > An alternative is to use the NXLearn action to install return flows, > or if you don't mind not staying all within the datapath (or not using > ovs), you can punt the first outgoing packet to the controller, apply > the rule you want, then output the packet and a corresponding return > flow with a short timeout. > > Another way, but not technically stateful, is to allow the outgoing > traffic, and only allow packets with the ack or rst flags set back in. > This however would allow packets in that match but don't really belong > to a connection initiated back in, so its not the best option by any > stretch. > > The exact flow set/best way to do it would be highly dependent on what > you're trying to accomplish and what platform you're targeting. > > Happy Hacking! > > 7-11 -- IWAMOTO Toshihiro ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
