Hi Juan, The concept for the IP address wildcarding is the same with that of OpenFlow protocol matching.
To match against "10.1.1.0/24" network, *mostly* you need to set nw_dest/nw_src="10.1.1.0/24". But please note this rule also matches the packet sent to "10.1.1.1/28", because the high-order 24 bits "10.1.1.*" are the same. If strictly matching is required, you need to sniffer or detect the context of the IP network negotiation (ARP, ICPMv6,...etc), I guess. I don't think it practical though... Thanks, Iwase On 2017年03月02日 16:30, Juan Francisco Guano wrote: > Ok, I try... summarizing I wanna know what Is the correct way to set a rule > in a whole network: the IP address of network AND with only netmask 32 for > example 10.0.1.0/32 <http://10.0.1.0/32> or the IP address of network with > another mask for example 10.0.1.0/25 <http://10.0.1.0/25>? In this case apply > the same concept of wildcarding off of protocol?? > > Regards > > Juan > > El 2 mar. 2017 1:38 AM, "Iwase Yusuke" <[email protected] > <mailto:[email protected]>> escribió: > > Hi Juan, > > Well... rest_firewall is just a sample application for the Ryu-Book, it > is supposed to be calculated > manually by users, I guess... > > For just applying IP network mask, you can use "netaddr" though. > >>> import netaddr > >>> str(netaddr.IPNetwork("192.168.0.1/24 > <http://192.168.0.1/24>").network) > '192.168.0.0' > > > Thanks, > Iwase > > On 2017年03月02日 15:25, Juan Francisco Guano wrote: > > Hi Iwase, thank you so much... Another question Do you know any > resource of a wildcard calculator that could works With the rest firewall?, > for example for define a range of IP address in a network to accept o deny > traffic? > > > > Regards > > > > Juab > > > > El 2 mar. 2017 12:35 AM, "Iwase Yusuke" <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> escribió: > > > > Hi Juan, > > > > Sorry, I misunderstood. > > > > I guess, it comes from the constraint of OpenFlow Matching rule. > > If you specify nw_dst="10.0.0.1/24 <http://10.0.0.1/24> > <http://10.0.0.1/24>", this means: > > "The high-order 24 bits are used for IP address matching and > other is wildcarded" > > and does NOT mean: > > "Matching to the destination 10.0.0.1 address in the 10.0.0.0/24 > <http://10.0.0.0/24> <http://10.0.0.0/24> network" > > These are very similar, but strictly speaking these does not have > the same meaning. > > Please refer to "7.2.3.4 Flow Matching" in OpenFlow Spec 1.3 for > details. > > > > e.g.) > > With nw_dst="10.0.0.1/24 <http://10.0.0.1/24> > <http://10.0.0.1/24>", this rule will be translated to "10.0.0.*" (* means > wildcarded). > > packets to 10.0.0.2 <http://10.0.0.2>: MATCH > > packets to 10.1.0.1 <http://10.1.0.1>: NOT MATCH > > > > If you want to distinguish the packets only which have "10.0.0.1" > in "10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>" network > > as the destination, you need to set nw_dst="10.0.0.1/32 > <http://10.0.0.1/32> <http://10.0.0.1/32>" in OpenFlow match field. > > 32 means the exact match for "10.0.0.1" address. > > > > Thanks, > > Iwase > > > > On 2017年03月01日 20:32, Juan Francisco Guano wrote: > > > Hi Iwase, thank you so much by your reply... I know that > 255.000.000.00 Is same "8" for format. Now if you check my original question > , you can appreciate that I así for an specific IP address "10.0.0.2/8 > <http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8> " why Is the > same in flow that "10.0.0.3/8 <http://10.0.0.3/8> <http://10.0.0.3/8> > <http://10.0.0.3/8>" rule in a switch(I check this with dump-flows command > and I get 10.0.0.0/255.0.0.0 <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> in both case )? How > the controller/switch distinguish this flows? Why the flows are replace it > in the switch? Why with a netmask 32 the flows/rules are different? Is it > possible that this case Is linked with wildcarding function un the app? > > > > > > Any help Is welcome... > > > > > > Regards > > > > > > Juan > > > > > > El 1 mar. 2017 2:58 AM, "Iwase Yusuke" <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>> escribió: > > > > > > Hi Juan, > > > > > > First, "255.0.0.0" in "10.0.0.0/255.0.0.0 > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0>" means the subnet mask and has the same meaning > with "8". > > > "8" is just formatted in the prefix representation. > > > > > > And, when your get without the mask, like "10.0.0.0", the > subnet mask "255.255.255.0"(="32" in > > > the prefix representation) is just omitted for the > readability. > > > So, you can set the netmask other than 32. > > > > > > Thanks, > > > Iwase > > > > > > On 2017年03月01日 15:54, Juan Francisco Guano wrote: > > > > Hi everybody > > > > > > > > I know, if this value is correct when I set a rule in a > REST FIREWALL, this directly linked with the netmask, if I set a rule for the > IP Address and your netmask ;10.0.0.2/8 <http://10.0.0.2/8> > <http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8>, when I get the > rules the IP address is the below; .... "nw_dst": "10.0.0.0/255.0.0.0 > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0>".... what is the > meaning of that? I cant set any rule with a different netmask of 32? for > example I set the rule for the IP Address and your netmask ;10.0.0.1/32 > <http://10.0.0.1/32> <http://10.0.0.1/32> <http://10.0.0.1/32> > <http://10.0.0.1/32> and I get a rule without any mask;.... "nw_dst": > "10.0.0.1".... > > > > Please any explanation is welcome.. > > > > > > > > Regards > > > > > > > > Juan > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Check out the vibrant tech community on one of the world's > most > > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > > > > > _______________________________________________ > > > > Ryu-devel mailing list > > > > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>> > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > _______________________________________________ > > > Ryu-devel mailing list > > > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ryu-devel mailing list > > [email protected] <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ryu-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ryu-devel > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
