Hi,
As you pointed, rest_firewall seems to have a bug.
Does the attached patch fix this problem?
Thanks,
Iwase
On 2016年11月17日 02:08, Ruy Takata wrote:
Dear all,
I am using the firewall app in Ryu, and I am creating some rules like below:
*curl -X POST -d '{"nw_src": "**10.0.0.1/32 <http://10.0.0.1/32>**",
"nw_dst": "**10.0.0.2/32 <http://10.0.0.2/32>**", "nw_proto": "ICMP"
}' **http://localhost:8080/firewall/rules/all
<http://localhost:8080/firewall/rules/all>*
*curl -X POST -d '{"nw_src": "**10.0.0.1/32 <http://10.0.0.1/32>**",
"nw_dst": "**10.0.0.3/32 <http://10.0.0.3/32>**", "nw_proto": "ICMP",
"actions": "DENY"}' **http://localhost:8080/firewall/rules/all
<http://localhost:8080/firewall/rules/all>*
*curl -X POST -d '{"nw_src": "**10.0.0.1/32 <http://10.0.0.1/32>**",
"nw_dst": "**10.0.0.4/32 <http://10.0.0.4/32>**", "nw_proto": "ICMP",
"actions": "ALLOW"}' **http://localhost:8080/firewall/rules/all
<http://localhost:8080/firewall/rules/all>*
When I list the rules the result aways show actions: DENY
*[*
* {*
* "access_control_list" : [*
* {*
* "rules" : [*
* {*
* "nw_proto" : "ICMP",*
* "actions" : "DENY",*
* "nw_dst" : "10.0.0.2",*
* "priority" : 1,*
* "nw_src" : "10.0.0.1",*
* "dl_type" : "IPv4",*
* "rule_id" : 1*
* },*
* {*
* "nw_proto" : "ICMP",*
* "rule_id" : 2,*
* "dl_type" : "IPv4",*
* "nw_src" : "10.0.0.1",*
* "actions" : "DENY",*
* "nw_dst" : "10.0.0.3",*
* "priority" : 1*
* },*
* {*
* "nw_proto" : "ICMP",*
* "actions" : "DENY",*
* "nw_dst" : "10.0.0.4",*
* "priority" : 1,*
* "nw_src" : "10.0.0.1",*
* "dl_type" : "IPv4",*
* "rule_id" : 3*
* }*
* ]*
* }*
* ],*
* "switch_id" : "0000000000000001"*
* }*
*]*
In mininet, the result is:
*mininet> dpctl dump-flows -O OpenFlow13*
**** s1
------------------------------------------------------------------------*
*OFPST_FLOW reply (OF1.3) (xid=0x2):*
* cookie=0x0, duration=132.176s, table=0, n_packets=21, n_bytes=1674,
priority=65535 actions=drop*
* cookie=0x0, duration=132.176s, table=0, n_packets=0, n_bytes=0,
priority=0 actions=CONTROLLER:128*
* cookie=0x0, duration=132.176s, table=0, n_packets=0, n_bytes=0,
priority=65534,arp actions=NORMAL*
* cookie=0x1, duration=117.815s, table=0, n_packets=0, n_bytes=0,
priority=1,icmp,nw_src=10.0.0.1,nw_dst=10.0.0.2 actions=NORMAL*
* cookie=0x2, duration=117.777s, table=0, n_packets=0, n_bytes=0,
priority=1,icmp,nw_src=10.0.0.1,nw_dst=10.0.0.3 actions=CONTROLLER:128*
* cookie=0x3, duration=117.106s, table=0, n_packets=0, n_bytes=0,
priority=1,icmp,nw_src=10.0.0.1,nw_dst=10.0.0.4 actions=NORMAL*
Is this a bug?
------------------------------------------------------------------------------
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
>From 6aa4de8669868fc4b68b007a64cafefb14f67d48 Mon Sep 17 00:00:00 2001
From: IWASE Yusuke <[email protected]>
Date: Wed, 16 Nov 2016 16:14:25 +0900
Subject: [PATCH] rest_firewall: Compare reserved port in str representation
Along with the update of ofctl_rest, the output representation of
the port number in the OUTPUT action has been changed.
e.g.) In case of the OUTPUT action to the OFPP_NORMAL port
OLD:
'OUTPUT:4294967290' # OFPP_NORMAL = 0xfffffffa
NOW:
'OUTPUT:NORMAL'
Currently, rest_firewall suposes the OLD format, and it will fail
to compare the port number, then all firewall rules will be shown
with "actions": "DENY".
This patch fixes to compare the port number in the NEW format and
fixes this problem.
Signed-off-by: IWASE Yusuke <[email protected]>
---
ryu/app/rest_firewall.py | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a/ryu/app/rest_firewall.py b/ryu/app/rest_firewall.py
index a04525f..81659a9 100644
--- a/ryu/app/rest_firewall.py
+++ b/ryu/app/rest_firewall.py
@@ -679,8 +679,7 @@ class Firewall(object):
def _set_log_status(self, is_enable, waiters):
if is_enable:
- actions = Action.to_openflow(self.dp,
- {REST_ACTION: REST_ACTION_PACKETIN})
+ actions = Action.to_openflow({REST_ACTION: REST_ACTION_PACKETIN})
details = 'Log collection started.'
else:
actions = []
@@ -722,7 +721,7 @@ class Firewall(object):
priority = ARP_FLOW_PRIORITY
match = {REST_DL_TYPE: ether.ETH_TYPE_ARP}
action = {REST_ACTION: REST_ACTION_ALLOW}
- actions = Action.to_openflow(self.dp, action)
+ actions = Action.to_openflow(action)
flow = self._to_of_flow(cookie=cookie, priority=priority,
match=match, actions=actions)
@@ -754,7 +753,7 @@ class Firewall(object):
result = self.get_log_status(waiters)
if result[REST_LOG_STATUS] == REST_STATUS_ENABLE:
rest[REST_ACTION] = REST_ACTION_PACKETIN
- actions = Action.to_openflow(self.dp, rest)
+ actions = Action.to_openflow(rest)
flow = self._to_of_flow(cookie=cookie, priority=priority,
match=match, actions=actions)
@@ -881,7 +880,7 @@ class Firewall(object):
rule = {REST_RULE_ID: ruleid}
rule.update({REST_PRIORITY: flow[REST_PRIORITY]})
rule.update(Match.to_rest(flow))
- rule.update(Action.to_rest(self.dp, flow))
+ rule.update(Action.to_rest(flow))
return rule
@@ -1079,19 +1078,17 @@ class Match(object):
class Action(object):
@staticmethod
- def to_openflow(dp, rest):
+ def to_openflow(rest):
value = rest.get(REST_ACTION, REST_ACTION_ALLOW)
if value == REST_ACTION_ALLOW:
- out_port = dp.ofproto.OFPP_NORMAL
action = [{'type': 'OUTPUT',
- 'port': out_port}]
+ 'port': 'NORMAL'}]
elif value == REST_ACTION_DENY:
action = []
elif value == REST_ACTION_PACKETIN:
- out_port = dp.ofproto.OFPP_CONTROLLER
action = [{'type': 'OUTPUT',
- 'port': out_port,
+ 'port': 'CONTROLLER',
'max_len': 128}]
else:
raise ValueError('Invalid action type.')
@@ -1099,9 +1096,9 @@ class Action(object):
return action
@staticmethod
- def to_rest(dp, openflow):
+ def to_rest(openflow):
if REST_ACTION in openflow:
- action_allow = 'OUTPUT:%d' % dp.ofproto.OFPP_NORMAL
+ action_allow = 'OUTPUT:NORMAL'
if openflow[REST_ACTION] == [action_allow]:
action = {REST_ACTION: REST_ACTION_ALLOW}
else:
--
2.7.4
------------------------------------------------------------------------------
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
