net.floodlightcontroller.firewall
Class Firewall

java.lang.Object
  net.floodlightcontroller.firewall.Firewall

All Implemented Interfaces:

IListener<OFType>, IOFMessageListener, IFloodlightModule, IFloodlightService, IFirewallService

public class Firewall
extends java.lang.Object
implements IFirewallService, IOFMessageListener, IFloodlightModule

Stateless firewall implemented as a Google Summer of Code project. Configuration done through REST API

Author:

Amer Tahir

Nested Class Summary

Nested classes/interfaces inherited from interface net.floodlightcontroller.core.IListener

IListener.Command

Field Summary

static java.lang.String	COLUMN_ACTION
static java.lang.String	COLUMN_DL_DST
static java.lang.String	COLUMN_DL_SRC
static java.lang.String	COLUMN_DL_TYPE
static java.lang.String	COLUMN_DPID
static java.lang.String	COLUMN_IN_PORT
static java.lang.String	COLUMN_NW_DST_MASKBITS
static java.lang.String	COLUMN_NW_DST_PREFIX
static java.lang.String	COLUMN_NW_PROTO
static java.lang.String	COLUMN_NW_SRC_MASKBITS
static java.lang.String	COLUMN_NW_SRC_PREFIX
static java.lang.String	COLUMN_PRIORITY
static java.lang.String	COLUMN_RULEID
static java.lang.String	COLUMN_TP_DST
static java.lang.String	COLUMN_TP_SRC
static java.lang.String	COLUMN_WILDCARD_DL_DST
static java.lang.String	COLUMN_WILDCARD_DL_SRC
static java.lang.String	COLUMN_WILDCARD_DL_TYPE
static java.lang.String	COLUMN_WILDCARD_DPID
static java.lang.String	COLUMN_WILDCARD_IN_PORT
static java.lang.String	COLUMN_WILDCARD_NW_DST
static java.lang.String	COLUMN_WILDCARD_NW_PROTO
static java.lang.String	COLUMN_WILDCARD_NW_SRC
static java.lang.String	COLUMN_WILDCARD_TP_DST
static java.lang.String	COLUMN_WILDCARD_TP_SRC
static java.lang.String[]	ColumnNames
protected boolean	enabled
protected IFloodlightProviderService	floodlightProvider
protected static org.slf4j.Logger	logger
protected IRestApiService	restApi
protected java.util.List<FirewallRule>	rules
protected IStorageSourceService	storageSource
protected int	subnet_mask
static java.lang.String	TABLE_NAME

Constructor Summary

Firewall()

Method Summary

void	addRule(FirewallRule rule) Adds a new Firewall rule
void	deleteRule(int ruleid) Deletes a Firewall rule
void	enableFirewall(boolean enabled) Enables/disables the firewall.
java.util.Collection<java.lang.Class<? extends IFloodlightService>>	getModuleDependencies() Get a list of Modules that this module depends on.
java.util.Collection<java.lang.Class<? extends IFloodlightService>>	getModuleServices() Return the list of interfaces that this module implements.
java.lang.String	getName() The name assigned to this listener
java.util.List<FirewallRule>	getRules() Returns all of the firewall rules
java.util.Map<java.lang.Class<? extends IFloodlightService>,IFloodlightService>	getServiceImpls() Instantiate (as needed) and return objects that implement each of the services exported by this module.
java.util.List<java.util.Map<java.lang.String,java.lang.Object>>	getStorageRules() Returns all of the firewall rules in storage for debugging and unit-testing purposes
java.lang.String	getSubnetMask() Returns the subnet mask
void	init(FloodlightModuleContext context) This is a hook for each module to do its internal initialization, e.g., call setService(context.getService("Service")) All module dependencies are resolved when this is called, but not every module is initialized.
protected boolean	IPIsBroadcast(int IPAddress) Checks whether an IP address is a broadcast address or not (determines using subnet mask)
boolean	isCallbackOrderingPostreq(OFType type, java.lang.String name) Check if the module called name is a callback ordering post-requisite for this module.
boolean	isCallbackOrderingPrereq(OFType type, java.lang.String name) Check if the module called name is a callback ordering prerequisite for this module.
boolean	isEnabled() Returns operational status of the firewall
protected RuleWildcardsPair	matchWithRule(IOFSwitch sw, OFPacketIn pi, FloodlightContext cntx) Iterates over the firewall rules and tries to match them with the incoming packet (flow).
IListener.Command	processPacketInMessage(IOFSwitch sw, OFPacketIn pi, IRoutingDecision decision, FloodlightContext cntx)
protected java.util.ArrayList<FirewallRule>	readRulesFromStorage() Reads the rules from the storage and creates a sorted arraylist of FirewallRule from them.
IListener.Command	receive(IOFSwitch sw, OFMessage msg, FloodlightContext cntx) This is the method Floodlight uses to call listeners with OpenFlow messages
void	setSubnetMask(java.lang.String newMask) Sets the subnet mask
void	startUp(FloodlightModuleContext context) This is a hook for each module to do its external initializations, e.g., register for callbacks or query for state in other modules It is expected that this function will not block and that modules that want non-event driven CPU will spawn their own threads.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

floodlightProvider

protected IFloodlightProviderService floodlightProvider

storageSource

protected IStorageSourceService storageSource

restApi

protected IRestApiService restApi

logger

protected static org.slf4j.Logger logger

rules

protected java.util.List<FirewallRule> rules

enabled

protected boolean enabled

subnet_mask

protected int subnet_mask

TABLE_NAME

public static final java.lang.String TABLE_NAME

See Also:

Constant Field Values

COLUMN_RULEID

public static final java.lang.String COLUMN_RULEID

See Also:

Constant Field Values

COLUMN_DPID

public static final java.lang.String COLUMN_DPID

See Also:

Constant Field Values

COLUMN_IN_PORT

public static final java.lang.String COLUMN_IN_PORT

See Also:

Constant Field Values

COLUMN_DL_SRC

public static final java.lang.String COLUMN_DL_SRC

See Also:

Constant Field Values

COLUMN_DL_DST

public static final java.lang.String COLUMN_DL_DST

See Also:

Constant Field Values

COLUMN_DL_TYPE

public static final java.lang.String COLUMN_DL_TYPE

See Also:

Constant Field Values

COLUMN_NW_SRC_PREFIX

public static final java.lang.String COLUMN_NW_SRC_PREFIX

See Also:

Constant Field Values

COLUMN_NW_SRC_MASKBITS

public static final java.lang.String COLUMN_NW_SRC_MASKBITS

See Also:

Constant Field Values

COLUMN_NW_DST_PREFIX

public static final java.lang.String COLUMN_NW_DST_PREFIX

See Also:

Constant Field Values

COLUMN_NW_DST_MASKBITS

public static final java.lang.String COLUMN_NW_DST_MASKBITS

See Also:

Constant Field Values

COLUMN_NW_PROTO

public static final java.lang.String COLUMN_NW_PROTO

See Also:

Constant Field Values

COLUMN_TP_SRC

public static final java.lang.String COLUMN_TP_SRC

See Also:

Constant Field Values

COLUMN_TP_DST

public static final java.lang.String COLUMN_TP_DST

See Also:

Constant Field Values

COLUMN_WILDCARD_DPID

public static final java.lang.String COLUMN_WILDCARD_DPID

See Also:

Constant Field Values

COLUMN_WILDCARD_IN_PORT

public static final java.lang.String COLUMN_WILDCARD_IN_PORT

See Also:

Constant Field Values

COLUMN_WILDCARD_DL_SRC

public static final java.lang.String COLUMN_WILDCARD_DL_SRC

See Also:

Constant Field Values

COLUMN_WILDCARD_DL_DST

public static final java.lang.String COLUMN_WILDCARD_DL_DST

See Also:

Constant Field Values

COLUMN_WILDCARD_DL_TYPE

public static final java.lang.String COLUMN_WILDCARD_DL_TYPE

See Also:

Constant Field Values

COLUMN_WILDCARD_NW_SRC

public static final java.lang.String COLUMN_WILDCARD_NW_SRC

See Also:

Constant Field Values

COLUMN_WILDCARD_NW_DST

public static final java.lang.String COLUMN_WILDCARD_NW_DST

See Also:

Constant Field Values

COLUMN_WILDCARD_NW_PROTO

public static final java.lang.String COLUMN_WILDCARD_NW_PROTO

See Also:

Constant Field Values

COLUMN_WILDCARD_TP_SRC

public static final java.lang.String COLUMN_WILDCARD_TP_SRC

See Also:

Constant Field Values

COLUMN_WILDCARD_TP_DST

public static final java.lang.String COLUMN_WILDCARD_TP_DST

See Also:

Constant Field Values

COLUMN_PRIORITY

public static final java.lang.String COLUMN_PRIORITY

See Also:

Constant Field Values

COLUMN_ACTION

public static final java.lang.String COLUMN_ACTION

See Also:

Constant Field Values

ColumnNames

public static java.lang.String[] ColumnNames

Constructor Detail

Firewall

public Firewall()

Method Detail

getName

public java.lang.String getName()

Description copied from interface: IListener

The name assigned to this listener

Specified by:

getName in interface IListener<OFType>

Returns:

isCallbackOrderingPrereq

public boolean isCallbackOrderingPrereq(OFType type,
                                        java.lang.String name)

Description copied from interface: IListener

Check if the module called name is a callback ordering prerequisite for this module. In other words, if this function returns true for the given name, then this listener will be called after that message listener.

Specified by:

isCallbackOrderingPrereq in interface IListener<OFType>

Parameters:

type - the object type to which this applies

name - the name of the module

Returns:

whether name is a prerequisite.

isCallbackOrderingPostreq

public boolean isCallbackOrderingPostreq(OFType type,
                                         java.lang.String name)

Description copied from interface: IListener

Check if the module called name is a callback ordering post-requisite for this module. In other words, if this function returns true for the given name, then this listener will be called before that message listener.

Specified by:

isCallbackOrderingPostreq in interface IListener<OFType>

Parameters:

type - the object type to which this applies

name - the name of the module

Returns:

whether name is a post-requisite.

getModuleServices

public java.util.Collection<java.lang.Class<? extends IFloodlightService>> getModuleServices()

Description copied from interface: IFloodlightModule

Return the list of interfaces that this module implements. All interfaces must inherit IFloodlightService

Specified by:

getModuleServices in interface IFloodlightModule

Returns:

getServiceImpls

public java.util.Map<java.lang.Class<? extends IFloodlightService>,IFloodlightService> getServiceImpls()

Description copied from interface: IFloodlightModule

Instantiate (as needed) and return objects that implement each of the services exported by this module. The map returned maps the implemented service to the object. The object could be the same object or different objects for different exported services.

Specified by:

getServiceImpls in interface IFloodlightModule

Returns:

The map from service interface class to service implementation

getModuleDependencies

public java.util.Collection<java.lang.Class<? extends IFloodlightService>> getModuleDependencies()

Description copied from interface: IFloodlightModule

Get a list of Modules that this module depends on. The module system will ensure that each these dependencies is resolved before the subsequent calls to init().

Specified by:

getModuleDependencies in interface IFloodlightModule

Returns:

The Collection of IFloodlightServices that this module depends on.

readRulesFromStorage

protected java.util.ArrayList<FirewallRule> readRulesFromStorage()

Reads the rules from the storage and creates a sorted arraylist of FirewallRule from them. Similar to getStorageRules(), which only reads contents for REST GET and does no parsing, checking, nor putting into FirewallRule objects

Returns:

the sorted arraylist of FirewallRule instances (rules from storage)

init

public void init(FloodlightModuleContext context)
          throws FloodlightModuleException

Description copied from interface: IFloodlightModule

This is a hook for each module to do its internal initialization, e.g., call setService(context.getService("Service")) All module dependencies are resolved when this is called, but not every module is initialized.

Specified by:

init in interface IFloodlightModule

Throws:

FloodlightModuleException

startUp

public void startUp(FloodlightModuleContext context)

Description copied from interface: IFloodlightModule

This is a hook for each module to do its external initializations, e.g., register for callbacks or query for state in other modules It is expected that this function will not block and that modules that want non-event driven CPU will spawn their own threads.

Specified by:

startUp in interface IFloodlightModule

receive

public IListener.Command receive(IOFSwitch sw,
                                 OFMessage msg,
                                 FloodlightContext cntx)

Description copied from interface: IOFMessageListener

This is the method Floodlight uses to call listeners with OpenFlow messages

Specified by:

receive in interface IOFMessageListener

Parameters:

sw - the OpenFlow switch that sent this message

msg - the message

cntx - a Floodlight message context object you can use to pass information between listeners

Returns:

the command to continue or stop the execution

enableFirewall

public void enableFirewall(boolean enabled)

Description copied from interface: IFirewallService

Enables/disables the firewall.

Specified by:

enableFirewall in interface IFirewallService

Parameters:

enabled - Whether to enable or disable the firewall.

getRules

public java.util.List<FirewallRule> getRules()

Description copied from interface: IFirewallService

Returns all of the firewall rules

Specified by:

getRules in interface IFirewallService

Returns:

List of all rules

getStorageRules

public java.util.List<java.util.Map<java.lang.String,java.lang.Object>> getStorageRules()

Description copied from interface: IFirewallService

Returns all of the firewall rules in storage for debugging and unit-testing purposes

Specified by:

getStorageRules in interface IFirewallService

Returns:

List of all rules in storage

getSubnetMask

public java.lang.String getSubnetMask()

Description copied from interface: IFirewallService

Returns the subnet mask

Specified by:

getSubnetMask in interface IFirewallService

Returns:

subnet mask

setSubnetMask

public void setSubnetMask(java.lang.String newMask)

Description copied from interface: IFirewallService

Sets the subnet mask

Specified by:

setSubnetMask in interface IFirewallService

Parameters:

newMask - The new subnet mask

addRule

public void addRule(FirewallRule rule)

Description copied from interface: IFirewallService

Adds a new Firewall rule

Specified by:

addRule in interface IFirewallService

deleteRule

public void deleteRule(int ruleid)

Description copied from interface: IFirewallService

Deletes a Firewall rule

Specified by:

deleteRule in interface IFirewallService

matchWithRule

protected RuleWildcardsPair matchWithRule(IOFSwitch sw,
                                          OFPacketIn pi,
                                          FloodlightContext cntx)

Iterates over the firewall rules and tries to match them with the incoming packet (flow). Uses the FirewallRule class's matchWithFlow method to perform matching. It maintains a pair of wildcards (allow and deny) which are assigned later to the firewall's decision, where 'allow' wildcards are applied if the matched rule turns out to be an ALLOW rule and 'deny' wildcards are applied otherwise. Wildcards are applied to firewall decision to optimize flows in the switch, ensuring least number of flows per firewall rule. So, if a particular field is not "ANY" (i.e. not wildcarded) in a higher priority rule, then if a lower priority rule matches the packet and wildcards it, it can't be wildcarded in the switch's flow entry, because otherwise some packets matching the higher priority rule might escape the firewall. The reason for keeping different two different wildcards is that if a field is not wildcarded in a higher priority allow rule, the same field shouldn't be wildcarded for packets matching the lower priority deny rule (non-wildcarded fields in higher priority rules override the wildcarding of those fields in lower priority rules of the opposite type). So, to ensure that wildcards are appropriately set for different types of rules (allow vs. deny), separate wildcards are maintained. Iteration is performed on the sorted list of rules (sorted in decreasing order of priority).

Parameters:

sw - the switch instance

pi - the incoming packet data structure

cntx - the floodlight context

Returns:

an instance of RuleWildcardsPair that specify rule that matches and the wildcards for the firewall decision

IPIsBroadcast

protected boolean IPIsBroadcast(int IPAddress)

Checks whether an IP address is a broadcast address or not (determines using subnet mask)

Parameters:

IPAddress - the IP address to check

Returns:

true if it is a broadcast address, false otherwise

processPacketInMessage

public IListener.Command processPacketInMessage(IOFSwitch sw,
                                                OFPacketIn pi,
                                                IRoutingDecision decision,
                                                FloodlightContext cntx)

isEnabled

public boolean isEnabled()

Description copied from interface: IFirewallService

Returns operational status of the firewall

Specified by:

isEnabled in interface IFirewallService

Returns:

boolean enabled;