Hi Juan, Well... Yes...
If you install a Drop rule with "10.0.2.0/32", the packets whose IP header contains "10.0.2.0" will be dropped with exact matching rule. rest_firewall does not recognize which IP network the hosts(sender/receiver) belongs to. Only IP address in IP header will be used. Thanks, Iwase On 2017年03月03日 14:42, Juan Francisco Guano wrote: > Ok , sorry ... I want to block an IP address network for example 10.0.2.0 > using a netmask 32. Its correct using this netmask in a rule of rest firewall > .... "10.0.2.0/32 <http://10.0.2.0/32>"... To block or accept traffic in a > whole network(in this case network 10.0.2.0)????? > > Regards > > El 2 mar. 2017 11:31 PM, "Iwase Yusuke" <[email protected] > <mailto:[email protected]>> escribió: > > Hi Juan, > > Sorry, please make question more clear... > Your question is "Is using /32 for setting rest_firewall rules allowed or > not?" ??? > > I mention again... > Prefix ("32" in this case) in rest_firewall APIs means: > "How many high-order bits should be matched against IP address in IP > packet header". > Not mean IP address network. "32" means "exact match against IP address". > > Thanks, > Iwase > > > On 2017年03月03日 12:30, Juan Francisco Guano wrote: > > Thank you again... But what about to use netmask /32 ? In a IP address > network?? > > > > Juan > > Regards > > > > El 2 mar. 2017 8:40 PM, "Iwase Yusuke" <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> escribió: > > > > Hi Juan, > > > > The concept for the IP address wildcarding is the same with that of > OpenFlow protocol matching. > > > > To match against "10.1.1.0/24 <http://10.1.1.0/24> > <http://10.1.1.0/24>" network, *mostly* you need to set > nw_dest/nw_src="10.1.1.0/24 <http://10.1.1.0/24> <http://10.1.1.0/24>". > > But please note this rule also matches the packet sent to > "10.1.1.1/28 <http://10.1.1.1/28> <http://10.1.1.1/28>", because the > high-order > > 24 bits "10.1.1.*" are the same. > > > > If strictly matching is required, you need to sniffer or detect the > context of the IP network > > negotiation (ARP, ICPMv6,...etc), I guess. I don't think it > practical though... > > > > > > Thanks, > > Iwase > > > > > > On 2017年03月02日 16:30, Juan Francisco Guano wrote: > > > Ok, I try... summarizing I wanna know what Is the correct way to > set a rule in a whole network: the IP address of network AND with only > netmask 32 for example 10.0.1.0/32 <http://10.0.1.0/32> <http://10.0.1.0/32> > <http://10.0.1.0/32> or the IP address of network with another mask for > example 10.0.1.0/25 <http://10.0.1.0/25> <http://10.0.1.0/25> > <http://10.0.1.0/25>? In this case apply the same concept of wildcarding off > of protocol?? > > > > > > Regards > > > > > > Juan > > > > > > El 2 mar. 2017 1:38 AM, "Iwase Yusuke" <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>> escribió: > > > > > > Hi Juan, > > > > > > Well... rest_firewall is just a sample application for the > Ryu-Book, it is supposed to be calculated > > > manually by users, I guess... > > > > > > For just applying IP network mask, you can use "netaddr" > though. > > > >>> import netaddr > > > >>> str(netaddr.IPNetwork("192.168.0.1/24 > <http://192.168.0.1/24> <http://192.168.0.1/24> > <http://192.168.0.1/24>").network) > > > '192.168.0.0' > > > > > > > > > Thanks, > > > Iwase > > > > > > On 2017年03月02日 15:25, Juan Francisco Guano wrote: > > > > Hi Iwase, thank you so much... Another question Do you know > any resource of a wildcard calculator that could works With the rest > firewall?, for example for define a range of IP address in a network to > accept o deny traffic? > > > > > > > > Regards > > > > > > > > Juab > > > > > > > > El 2 mar. 2017 12:35 AM, "Iwase Yusuke" > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>> escribió: > > > > > > > > Hi Juan, > > > > > > > > Sorry, I misunderstood. > > > > > > > > I guess, it comes from the constraint of OpenFlow > Matching rule. > > > > If you specify nw_dst="10.0.0.1/24 <http://10.0.0.1/24> > <http://10.0.0.1/24> <http://10.0.0.1/24> <http://10.0.0.1/24>", this means: > > > > "The high-order 24 bits are used for IP address > matching and other is wildcarded" > > > > and does NOT mean: > > > > "Matching to the destination 10.0.0.1 address in the > 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> > <http://10.0.0.0/24> network" > > > > These are very similar, but strictly speaking these > does not have the same meaning. > > > > Please refer to "7.2.3.4 Flow Matching" in OpenFlow > Spec 1.3 for details. > > > > > > > > e.g.) > > > > With nw_dst="10.0.0.1/24 <http://10.0.0.1/24> > <http://10.0.0.1/24> <http://10.0.0.1/24> <http://10.0.0.1/24>", this rule > will be translated to "10.0.0.*" (* means wildcarded). > > > > packets to 10.0.0.2 <http://10.0.0.2>: MATCH > > > > packets to 10.1.0.1 <http://10.1.0.1>: NOT MATCH > > > > > > > > If you want to distinguish the packets only which have > "10.0.0.1" in "10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> > <http://10.0.0.0/24> <http://10.0.0.0/24>" network > > > > as the destination, you need to set nw_dst="10.0.0.1/32 > <http://10.0.0.1/32> <http://10.0.0.1/32> <http://10.0.0.1/32> > <http://10.0.0.1/32>" in OpenFlow match field. > > > > 32 means the exact match for "10.0.0.1" address. > > > > > > > > Thanks, > > > > Iwase > > > > > > > > On 2017年03月01日 20:32, Juan Francisco Guano wrote: > > > > > Hi Iwase, thank you so much by your reply... I know > that 255.000.000.00 Is same "8" for format. Now if you check my original > question , you can appreciate that I así for an specific IP address > "10.0.0.2/8 <http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8> > <http://10.0.0.2/8> <http://10.0.0.2/8> " why Is the same in flow that > "10.0.0.3/8 <http://10.0.0.3/8> <http://10.0.0.3/8> <http://10.0.0.3/8> > <http://10.0.0.3/8> <http://10.0.0.3/8>" rule in a switch(I check this with > dump-flows command and I get 10.0.0.0/255.0.0.0 <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> in both case )? How > the controller/switch distinguish this flows? Why the flows are replace it > in the switch? Why with a netmask 32 the flows/rules are different? Is it > possible that this case Is linked with wildcarding function un the app? > > > > > > > > > > Any help Is welcome... > > > > > > > > > > Regards > > > > > > > > > > Juan > > > > > > > > > > El 1 mar. 2017 2:58 AM, "Iwase Yusuke" > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>>> > escribió: > > > > > > > > > > Hi Juan, > > > > > > > > > > First, "255.0.0.0" in "10.0.0.0/255.0.0.0 > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0>" means the subnet mask and has the same meaning > with "8". > > > > > "8" is just formatted in the prefix > representation. > > > > > > > > > > And, when your get without the mask, like > "10.0.0.0", the subnet mask "255.255.255.0"(="32" in > > > > > the prefix representation) is just omitted for > the readability. > > > > > So, you can set the netmask other than 32. > > > > > > > > > > Thanks, > > > > > Iwase > > > > > > > > > > On 2017年03月01日 15:54, Juan Francisco Guano wrote: > > > > > > Hi everybody > > > > > > > > > > > > I know, if this value is correct when I set a > rule in a REST FIREWALL, this directly linked with the netmask, if I set a > rule for the IP Address and your netmask ;10.0.0.2/8 <http://10.0.0.2/8> > <http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8> > <http://10.0.0.2/8> <http://10.0.0.2/8>, when I get the rules the IP address > is the below; .... "nw_dst": "10.0.0.0/255.0.0.0 <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> > <http://10.0.0.0/255.0.0.0>".... what is the meaning of that? I cant set any > rule with a different netmask of 32? for example I set the rule for the IP > Address and your netmask ;10.0.0.1/32 <http://10.0.0.1/32> > <http://10.0.0.1/32> <http://10.0.0.1/32> <http://10.0.0.1/32> > <http://10.0.0.1/32> <http://10.0.0.1/32> and I get a rule without any > mask;.... "nw_dst": "10.0.0.1".... > > > > > > Please any explanation is welcome.. > > > > > > > > > > > > Regards > > > > > > > > > > > > Juan > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > Check out the vibrant tech community on one of > the world's most > > > > > > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Ryu-devel mailing list > > > > > > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>>>> > > > > > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>>>> > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > Check out the vibrant tech community on one of the > world's most > > > > > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Ryu-devel mailing list > > > > > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>>> > > > > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>>> > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Check out the vibrant tech community on one of the world's > most > > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > > > > > _______________________________________________ > > > > Ryu-devel mailing list > > > > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > <mailto:[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>>> > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > _______________________________________________ > > > Ryu-devel mailing list > > > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel>> > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ryu-devel mailing list > > [email protected] <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ryu-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ryu-devel > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
