Thank you, this reply
https://sourceforge.net/p/ryu/mailman/message/35660766/ is incorrect??
Regards
Juan
2017-03-03 1:06 GMT-05:00 Iwase Yusuke <[email protected]>:
> Hi Juan,
>
> Well... Yes...
>
> If you install a Drop rule with "10.0.2.0/32", the packets whose IP
> header contains "10.0.2.0"
> will be dropped with exact matching rule.
> rest_firewall does not recognize which IP network the
> hosts(sender/receiver) belongs to.
> Only IP address in IP header will be used.
>
> Thanks,
> Iwase
>
> On 2017年03月03日 14:42, Juan Francisco Guano wrote:
> > Ok , sorry ... I want to block an IP address network for example
> 10.0.2.0 using a netmask 32. Its correct using this netmask in a rule of
> rest firewall .... "10.0.2.0/32 <http://10.0.2.0/32>"... To block or
> accept traffic in a whole network(in this case network 10.0.2.0)?????
> >
> > Regards
> >
> > El 2 mar. 2017 11:31 PM, "Iwase Yusuke" <[email protected]
> <mailto:[email protected]>> escribió:
> >
> > Hi Juan,
> >
> > Sorry, please make question more clear...
> > Your question is "Is using /32 for setting rest_firewall rules
> allowed or not?" ???
> >
> > I mention again...
> > Prefix ("32" in this case) in rest_firewall APIs means:
> > "How many high-order bits should be matched against IP address in
> IP packet header".
> > Not mean IP address network. "32" means "exact match against IP
> address".
> >
> > Thanks,
> > Iwase
> >
> >
> > On 2017年03月03日 12:30, Juan Francisco Guano wrote:
> > > Thank you again... But what about to use netmask /32 ? In a IP
> address network??
> > >
> > > Juan
> > > Regards
> > >
> > > El 2 mar. 2017 8:40 PM, "Iwase Yusuke" <[email protected]
> <mailto:[email protected]> <mailto:[email protected] <mailto:
> [email protected]>>> escribió:
> > >
> > > Hi Juan,
> > >
> > > The concept for the IP address wildcarding is the same with
> that of OpenFlow protocol matching.
> > >
> > > To match against "10.1.1.0/24 <http://10.1.1.0/24> <
> http://10.1.1.0/24>" network, *mostly* you need to set nw_dest/nw_src="
> 10.1.1.0/24 <http://10.1.1.0/24> <http://10.1.1.0/24>".
> > > But please note this rule also matches the packet sent to "
> 10.1.1.1/28 <http://10.1.1.1/28> <http://10.1.1.1/28>", because the
> high-order
> > > 24 bits "10.1.1.*" are the same.
> > >
> > > If strictly matching is required, you need to sniffer or
> detect the context of the IP network
> > > negotiation (ARP, ICPMv6,...etc), I guess. I don't think it
> practical though...
> > >
> > >
> > > Thanks,
> > > Iwase
> > >
> > >
> > > On 2017年03月02日 16:30, Juan Francisco Guano wrote:
> > > > Ok, I try... summarizing I wanna know what Is the correct
> way to set a rule in a whole network: the IP address of network AND with
> only netmask 32 for example 10.0.1.0/32 <http://10.0.1.0/32> <
> http://10.0.1.0/32> <http://10.0.1.0/32> or the IP address of network
> with another mask for example 10.0.1.0/25 <http://10.0.1.0/25> <
> http://10.0.1.0/25> <http://10.0.1.0/25>? In this case apply the same
> concept of wildcarding off of protocol??
> > > >
> > > > Regards
> > > >
> > > > Juan
> > > >
> > > > El 2 mar. 2017 1:38 AM, "Iwase Yusuke" <
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>>> escribió:
> > > >
> > > > Hi Juan,
> > > >
> > > > Well... rest_firewall is just a sample application for
> the Ryu-Book, it is supposed to be calculated
> > > > manually by users, I guess...
> > > >
> > > > For just applying IP network mask, you can use "netaddr"
> though.
> > > > >>> import netaddr
> > > > >>> str(netaddr.IPNetwork("192.168.0.1/24 <
> http://192.168.0.1/24> <http://192.168.0.1/24> <http://192.168.0.1/24>").
> network)
> > > > '192.168.0.0'
> > > >
> > > >
> > > > Thanks,
> > > > Iwase
> > > >
> > > > On 2017年03月02日 15:25, Juan Francisco Guano wrote:
> > > > > Hi Iwase, thank you so much... Another question Do you
> know any resource of a wildcard calculator that could works With the rest
> firewall?, for example for define a range of IP address in a network to
> accept o deny traffic?
> > > > >
> > > > > Regards
> > > > >
> > > > > Juab
> > > > >
> > > > > El 2 mar. 2017 12:35 AM, "Iwase Yusuke" <
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>>>> escribió:
> > > > >
> > > > > Hi Juan,
> > > > >
> > > > > Sorry, I misunderstood.
> > > > >
> > > > > I guess, it comes from the constraint of OpenFlow
> Matching rule.
> > > > > If you specify nw_dst="10.0.0.1/24 <
> http://10.0.0.1/24> <http://10.0.0.1/24> <http://10.0.0.1/24> <
> http://10.0.0.1/24>", this means:
> > > > > "The high-order 24 bits are used for IP address
> matching and other is wildcarded"
> > > > > and does NOT mean:
> > > > > "Matching to the destination 10.0.0.1 address in
> the 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24> network"
> > > > > These are very similar, but strictly speaking
> these does not have the same meaning.
> > > > > Please refer to "7.2.3.4 Flow Matching" in
> OpenFlow Spec 1.3 for details.
> > > > >
> > > > > e.g.)
> > > > > With nw_dst="10.0.0.1/24 <http://10.0.0.1/24> <
> http://10.0.0.1/24> <http://10.0.0.1/24> <http://10.0.0.1/24>", this rule
> will be translated to "10.0.0.*" (* means wildcarded).
> > > > > packets to 10.0.0.2 <http://10.0.0.2>: MATCH
> > > > > packets to 10.1.0.1 <http://10.1.0.1>: NOT
> MATCH
> > > > >
> > > > > If you want to distinguish the packets only which
> have "10.0.0.1" in "10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> <http://10.0.0.0/24> <http://10.0.0.0/24>" network
> > > > > as the destination, you need to set nw_dst="
> 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> <http://10.0.0.1/32>
> <http://10.0.0.1/32>" in OpenFlow match field.
> > > > > 32 means the exact match for "10.0.0.1" address.
> > > > >
> > > > > Thanks,
> > > > > Iwase
> > > > >
> > > > > On 2017年03月01日 20:32, Juan Francisco Guano wrote:
> > > > > > Hi Iwase, thank you so much by your reply... I
> know that 255.000.000.00 Is same "8" for format. Now if you check my
> original question , you can appreciate that I así for an specific IP
> address "10.0.0.2/8 <http://10.0.0.2/8> <http://10.0.0.2/8> <
> http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8> " why Is the
> same in flow that "10.0.0.3/8 <http://10.0.0.3/8> <http://10.0.0.3/8> <
> http://10.0.0.3/8> <http://10.0.0.3/8> <http://10.0.0.3/8>" rule in a
> switch(I check this with dump-flows command and I get 10.0.0.0/255.0.0.0
> <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> <
> http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> <
> http://10.0.0.0/255.0.0.0> in both case )? How the controller/switch
> distinguish this flows? Why the flows are replace it in the switch? Why
> with a netmask 32 the flows/rules are different? Is it possible that this
> case Is linked with wildcarding function un the app?
> > > > > >
> > > > > > Any help Is welcome...
> > > > > >
> > > > > > Regards
> > > > > >
> > > > > > Juan
> > > > > >
> > > > > > El 1 mar. 2017 2:58 AM, "Iwase Yusuke" <
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>> <mailto:
> [email protected] <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>
> > <mailto:[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>>>>>
> escribió:
> > > > > >
> > > > > > Hi Juan,
> > > > > >
> > > > > > First, "255.0.0.0" in "10.0.0.0/255.0.0.0 <
> http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> <
> http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> <
> http://10.0.0.0/255.0.0.0>" means the subnet mask and has the same
> meaning with "8".
> > > > > > "8" is just formatted in the prefix
> representation.
> > > > > >
> > > > > > And, when your get without the mask, like
> "10.0.0.0", the subnet mask "255.255.255.0"(="32" in
> > > > > > the prefix representation) is just omitted
> for the readability.
> > > > > > So, you can set the netmask other than 32.
> > > > > >
> > > > > > Thanks,
> > > > > > Iwase
> > > > > >
> > > > > > On 2017年03月01日 15:54, Juan Francisco Guano
> wrote:
> > > > > > > Hi everybody
> > > > > > >
> > > > > > > I know, if this value is correct when I
> set a rule in a REST FIREWALL, this directly linked with the netmask, if I
> set a rule for the IP Address and your netmask ;10.0.0.2/8 <
> http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8> <
> http://10.0.0.2/8> <http://10.0.0.2/8> <http://10.0.0.2/8>, when I get
> the rules the IP address is the below; .... "nw_dst": "10.0.0.0/255.0.0.0
> <http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> <
> http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0> <
> http://10.0.0.0/255.0.0.0> <http://10.0.0.0/255.0.0.0>".... what is the
> meaning of that? I cant set any rule with a different netmask of 32? for
> example I set the rule for the IP Address and your netmask ;10.0.0.1/32 <
> http://10.0.0.1/32> <http://10.0.0.1/32> <http://10.0.0.1/32> <
> http://10.0.0.1/32> <http://10.0.0.1/32> <http://10.0.0.1/32> and I get a
> rule without any mask;.... "nw_dst": "10.0.0.1"....
> > > > > > > Please any explanation is welcome..
> > > > > > >
> > > > > > > Regards
> > > > > > >
> > > > > > > Juan
> > > > > > >
> > > > > > >
> > > > > > > ------------------------------
> ------------------------------------------------
> > > > > > > Check out the vibrant tech community on
> one of the world's most
> > > > > > > engaging tech sites, SlashDot.org!
> http://sdm.link/slashdot
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ______________________________
> _________________
> > > > > > > Ryu-devel mailing list
> > > > > > > [email protected] <mailto:
> [email protected]> <mailto:[email protected]
> <mailto:[email protected]>> <mailto:Ryu-devel@lists.
> sourceforge.net <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>>
> <mailto:[email protected] <mailto:Ryu-devel@lists.
> sourceforge.net> <mailto:[email protected] <mailto:
> [email protected]>> <mailto:[email protected]
> <mailto:[email protected]> <mailto:Ryu-devel@lists.
> sourceforge.net <mailto:[email protected]>>>> <mailto:
> [email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:Ryu-devel@lists.
> sourceforge.net>> <mailto:[email protected] <mailto:
> [email protected]> <mailto:[email protected]
> > <mailto:[email protected]>>> <mailto:Ryu-devel@lists.
> sourceforge.net <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>
> <mailto:[email protected] <mailto:Ryu-devel@lists.
> sourceforge.net> <mailto:[email protected] <mailto:
> [email protected]>>>>>
> > > > > > > https://lists.sourceforge.net/
> lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel>> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel>>> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel>> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel>>>>
> > <https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>>> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>>>>>
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ------------------------------
> ------------------------------------------------
> > > > > > Check out the vibrant tech community on one of
> the world's most
> > > > > > engaging tech sites, SlashDot.org!
> http://sdm.link/slashdot
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Ryu-devel mailing list
> > > > > > [email protected] <mailto:
> [email protected]> <mailto:[email protected]
> <mailto:[email protected]>> <mailto:Ryu-devel@lists.
> sourceforge.net <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>>
> <mailto:[email protected] <mailto:Ryu-devel@lists.
> sourceforge.net> <mailto:[email protected] <mailto:
> [email protected]>> <mailto:[email protected]
> <mailto:[email protected]> <mailto:Ryu-devel@lists.
> sourceforge.net <mailto:[email protected]>>>>
> > > > > > https://lists.sourceforge.net/
> lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel>> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel>>> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel>> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel> <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel <https://lists.sourceforge.
> net/lists/listinfo/ryu-devel>>>>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > ------------------------------
> ------------------------------------------------
> > > > > Check out the vibrant tech community on one of the
> world's most
> > > > > engaging tech sites, SlashDot.org!
> http://sdm.link/slashdot
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Ryu-devel mailing list
> > > > > [email protected] <mailto:
> [email protected]> <mailto:[email protected]
> <mailto:[email protected]>> <mailto:Ryu-devel@lists.
> sourceforge.net <mailto:[email protected]> <mailto:
> [email protected] <mailto:[email protected]>>>
> > > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel
> <https://lists.sourceforge.net/lists/listinfo/ryu-devel> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>>>
> > > > >
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------------
> ------------------
> > > > Check out the vibrant tech community on one of the world's
> most
> > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Ryu-devel mailing list
> > > > [email protected] <mailto:Ryu-devel@lists.
> sourceforge.net> <mailto:[email protected] <mailto:
> [email protected]>>
> > > > https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel> <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>>
> > > >
> > >
> > >
> > >
> > > ------------------------------------------------------------
> ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > >
> > >
> > >
> > > _______________________________________________
> > > Ryu-devel mailing list
> > > [email protected] <mailto:Ryu-devel@lists.
> sourceforge.net>
> > > https://lists.sourceforge.net/lists/listinfo/ryu-devel <
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>
> > >
> >
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> >
> > _______________________________________________
> > Ryu-devel mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/ryu-devel
> >
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
