Hi Juan,
Sorry, please make question more clear...
Your question is "Is using /32 for setting rest_firewall rules allowed or not?"
???
I mention again...
Prefix ("32" in this case) in rest_firewall APIs means:
"How many high-order bits should be matched against IP address in IP packet
header".
Not mean IP address network. "32" means "exact match against IP address".
Thanks,
Iwase
On 2017年03月03日 12:30, Juan Francisco Guano wrote:
> Thank you again... But what about to use netmask /32 ? In a IP address
> network??
>
> Juan
> Regards
>
> El 2 mar. 2017 8:40 PM, "Iwase Yusuke" <[email protected]
> <mailto:[email protected]>> escribió:
>
> Hi Juan,
>
> The concept for the IP address wildcarding is the same with that of
> OpenFlow protocol matching.
>
> To match against "10.1.1.0/24 <http://10.1.1.0/24>" network, *mostly* you
> need to set nw_dest/nw_src="10.1.1.0/24 <http://10.1.1.0/24>".
> But please note this rule also matches the packet sent to "10.1.1.1/28
> <http://10.1.1.1/28>", because the high-order
> 24 bits "10.1.1.*" are the same.
>
> If strictly matching is required, you need to sniffer or detect the
> context of the IP network
> negotiation (ARP, ICPMv6,...etc), I guess. I don't think it practical
> though...
>
>
> Thanks,
> Iwase
>
>
> On 2017年03月02日 16:30, Juan Francisco Guano wrote:
> > Ok, I try... summarizing I wanna know what Is the correct way to set a
> rule in a whole network: the IP address of network AND with only netmask 32
> for example 10.0.1.0/32 <http://10.0.1.0/32> <http://10.0.1.0/32> or the IP
> address of network with another mask for example 10.0.1.0/25
> <http://10.0.1.0/25> <http://10.0.1.0/25>? In this case apply the same
> concept of wildcarding off of protocol??
> >
> > Regards
> >
> > Juan
> >
> > El 2 mar. 2017 1:38 AM, "Iwase Yusuke" <[email protected]
> <mailto:[email protected]> <mailto:[email protected]
> <mailto:[email protected]>>> escribió:
> >
> > Hi Juan,
> >
> > Well... rest_firewall is just a sample application for the
> Ryu-Book, it is supposed to be calculated
> > manually by users, I guess...
> >
> > For just applying IP network mask, you can use "netaddr" though.
> > >>> import netaddr
> > >>> str(netaddr.IPNetwork("192.168.0.1/24 <http://192.168.0.1/24>
> <http://192.168.0.1/24>").network)
> > '192.168.0.0'
> >
> >
> > Thanks,
> > Iwase
> >
> > On 2017年03月02日 15:25, Juan Francisco Guano wrote:
> > > Hi Iwase, thank you so much... Another question Do you know any
> resource of a wildcard calculator that could works With the rest firewall?,
> for example for define a range of IP address in a network to accept o deny
> traffic?
> > >
> > > Regards
> > >
> > > Juab
> > >
> > > El 2 mar. 2017 12:35 AM, "Iwase Yusuke" <[email protected]
> <mailto:[email protected]> <mailto:[email protected]
> <mailto:[email protected]>> <mailto:[email protected]
> <mailto:[email protected]> <mailto:[email protected]
> <mailto:[email protected]>>>> escribió:
> > >
> > > Hi Juan,
> > >
> > > Sorry, I misunderstood.
> > >
> > > I guess, it comes from the constraint of OpenFlow Matching
> rule.
> > > If you specify nw_dst="10.0.0.1/24 <http://10.0.0.1/24>
> <http://10.0.0.1/24> <http://10.0.0.1/24>", this means:
> > > "The high-order 24 bits are used for IP address matching
> and other is wildcarded"
> > > and does NOT mean:
> > > "Matching to the destination 10.0.0.1 address in the
> 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24>
> network"
> > > These are very similar, but strictly speaking these does not
> have the same meaning.
> > > Please refer to "7.2.3.4 Flow Matching" in OpenFlow Spec 1.3
> for details.
> > >
> > > e.g.)
> > > With nw_dst="10.0.0.1/24 <http://10.0.0.1/24>
> <http://10.0.0.1/24> <http://10.0.0.1/24>", this rule will be translated to
> "10.0.0.*" (* means wildcarded).
> > > packets to 10.0.0.2 <http://10.0.0.2>: MATCH
> > > packets to 10.1.0.1 <http://10.1.0.1>: NOT MATCH
> > >
> > > If you want to distinguish the packets only which have
> "10.0.0.1" in "10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> <http://10.0.0.0/24>" network
> > > as the destination, you need to set nw_dst="10.0.0.1/32
> <http://10.0.0.1/32> <http://10.0.0.1/32> <http://10.0.0.1/32>" in OpenFlow
> match field.
> > > 32 means the exact match for "10.0.0.1" address.
> > >
> > > Thanks,
> > > Iwase
> > >
> > > On 2017年03月01日 20:32, Juan Francisco Guano wrote:
> > > > Hi Iwase, thank you so much by your reply... I know that
> 255.000.000.00 Is same "8" for format. Now if you check my original question
> , you can appreciate that I así for an specific IP address "10.0.0.2/8
> <http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8>
> <http://10.0.0.2/8> " why Is the same in flow that "10.0.0.3/8
> <http://10.0.0.3/8> <http://10.0.0.3/8> <http://10.0.0.3/8>
> <http://10.0.0.3/8>" rule in a switch(I check this with dump-flows command
> and I get 10.0.0.0/255.0.0.0 <http://10.0.0.0/255.0.0.0>
> <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0>
> <http://10.0.0.0/255.0.0.0> in both case )? How the controller/switch
> distinguish this flows? Why the flows are replace it in the switch? Why with
> a netmask 32 the flows/rules are different? Is it possible that this case Is
> linked with wildcarding function un the app?
> > > >
> > > > Any help Is welcome...
> > > >
> > > > Regards
> > > >
> > > > Juan
> > > >
> > > > El 1 mar. 2017 2:58 AM, "Iwase Yusuke"
> <[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>
> <mailto:[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>>> escribió:
> > > >
> > > > Hi Juan,
> > > >
> > > > First, "255.0.0.0" in "10.0.0.0/255.0.0.0
> <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0>
> <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0>" means the subnet
> mask and has the same meaning with "8".
> > > > "8" is just formatted in the prefix representation.
> > > >
> > > > And, when your get without the mask, like "10.0.0.0",
> the subnet mask "255.255.255.0"(="32" in
> > > > the prefix representation) is just omitted for the
> readability.
> > > > So, you can set the netmask other than 32.
> > > >
> > > > Thanks,
> > > > Iwase
> > > >
> > > > On 2017年03月01日 15:54, Juan Francisco Guano wrote:
> > > > > Hi everybody
> > > > >
> > > > > I know, if this value is correct when I set a rule in
> a REST FIREWALL, this directly linked with the netmask, if I set a rule for
> the IP Address and your netmask ;10.0.0.2/8 <http://10.0.0.2/8>
> <http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8>
> <http://10.0.0.2/8>, when I get the rules the IP address is the below; ....
> "nw_dst": "10.0.0.0/255.0.0.0 <http://10.0.0.0/255.0.0.0>
> <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0>
> <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0>".... what is the
> meaning of that? I cant set any rule with a different netmask of 32? for
> example I set the rule for the IP Address and your netmask ;10.0.0.1/32
> <http://10.0.0.1/32> <http://10.0.0.1/32> <http://10.0.0.1/32>
> <http://10.0.0.1/32> <http://10.0.0.1/32> and I get a rule without any
> mask;.... "nw_dst": "10.0.0.1"....
> > > > > Please any explanation is welcome..
> > > > >
> > > > > Regards
> > > > >
> > > > > Juan
> > > > >
> > > > >
> > > > >
> ------------------------------------------------------------------------------
> > > > > Check out the vibrant tech community on one of the
> world's most
> > > > > engaging tech sites, SlashDot.org!
> http://sdm.link/slashdot
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Ryu-devel mailing list
> > > > > [email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>
> <mailto:[email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>>
> <mailto:[email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>
> <mailto:[email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>>>
> > > > >
> https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>>>
> > > > >
> > > >
> > > >
> > > >
> > > >
> ------------------------------------------------------------------------------
> > > > Check out the vibrant tech community on one of the world's
> most
> > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Ryu-devel mailing list
> > > > [email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>
> <mailto:[email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>>
> > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>>
> > > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > >
> > >
> > >
> > > _______________________________________________
> > > Ryu-devel mailing list
> > > [email protected]
> <mailto:[email protected]>
> <mailto:[email protected]
> <mailto:[email protected]>>
> > > https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>
> > >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> >
> > _______________________________________________
> > Ryu-devel mailing list
> > [email protected] <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> >
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Ryu-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
