Lagopus switch with Ryu controller firewall application about lagopus HOT 14 CLOSED

Hi @LucasShih,

Your output seems that you used the old version of lagosh (0.1.2?).
Could you check with lagopus 0.2.5 and the latest version of lagosh?

We run the same application on the same version with raw-socket mode.
It worked well with the following output:

% curl -X POST -d  '{"nw_src": "10.0.0.2/32", "nw_dst": "10.0.0.3/32", "nw_proto": "ICMP", "actions": "DENY", "priority": "10"}' http://localhost:8080/firewall/rules/0000000000000001
[{"switch_id": "0000000000000001", "command_result": [{"result": "success", "details": "Rule added. : rule_id=1"}]}]
% curl  http://localhost:8080/firewall/rules/0000000000000001[{"access_control_list": [{"rules": [{"priority": 10, "dl_type": "IPv4", "nw_proto": "ICMP", "nw_dst": "10.0.0.3/255.255.255.255", "nw_src": "10.0.0.2/255.255.255.255", "rule_id": 1, "actions": "DENY"}]}], "switch_id": "0000000000000001"}]
% ./test/datastore/tools/check_cmd.py
> flow
{"ret":"OK",
"data":[{"name":":bridge01",
"tables":[{"table":0,
"flows":[{"priority":65535,
"idle_timeout":0,
"hard_timeout":0,
"cookie":0,
"actions":[]},
{"priority":65534,
"idle_timeout":0,
"hard_timeout":0,
"cookie":0,
"dl_type":"arp",
"actions":[{"apply_actions":
[{"output":"normal"}]}]},
{"priority":10,
"idle_timeout":0,
"hard_timeout":0,
"cookie":1,
"dl_type":"ip",
"nw_proto":1,
"nw_src":"10.0.0.2\/255.255.255.255",
"nw_dst":"10.0.0.3\/255.255.255.255",
"actions":[{"apply_actions":
[{"output":"controller"}]}]},
{"priority":0,
"idle_timeout":0,
"hard_timeout":0,
"cookie":0,
"actions":[{"apply_actions":
[{"output":"controller"}]}]}]}]}]}

from lagopus.

Sorry I have not illustrate clearly.

On Ryu controller, I execute these command as below:
curl -X PUT http://localhost:8080/firewall/module/enable/0000000000000001
curl -X POST -d '{"nw_src ": "10.1.1.1/32" , "nw_dst ": "10.1.1.2/32" ,"nw_proto ": "ICMP", "actions": "ALLOW"}' http://localhost:8080/firewall/rules/0000000000000001
curl -X POST -d '{"nw_src ": "10.1.1.2/32" , "nw_dst ": "10.1.1.1/32" ,"nw_proto ": "ICMP", "actions": "ALLOW"}' http://localhost:8080/firewall/rules/0000000000000001

I wanted to the two PCs(10.1.1.1 and 10.1.1.2) can ping each other

But when I check the rules on controller the actions were shown DENY:
curl http://localhost:8080/firewall/rules/0000000000000001
[{"access_control_list": [{"rules": [{"priority": 1, "dl_type": "IPv4", "nw_proto": "ICMP", "nw_dst": "10.1.1.2/255.255.255.255", "nw_src": "10.1.1.1/255.255.255.255", "rule_id": 1, "actions": "DENY"}, {"priority": 1, "dl_type": "IPv4", "nw_proto": "ICMP", "nw_dst": "10.1.1.1/255.255.255.255", "nw_src": "10.1.1.2/255.255.255.255", "rule_id": 2, "actions": "DENY"}]}], "switch_id": "0000000000000001"}]

And the lagopus switch flow entries were right as below:

Lagosh> show flow
[
{
"tables": [
{
"table": 0,
"flows": [
{
"dl_type": "arp",
"stats": {
"packet_count": 752,
"byte_count": 45120
},
"hard_timeout": 0,
"actions": [
{
"apply_actions": [
{
"output": "normal"
}
]
}
],
"priority": 65534,
"idle_timeout": 0,
"cookie": 0
},
{
"dl_type": "ip",
"stats": {
"packet_count": 0,
"byte_count": 0
},
"hard_timeout": 0,
"nw_dst": "10.1.1.2/255.255.255.255",
"nw_proto": 1,
"actions": [
{
"apply_actions": [
{
"output": "normal"
}
]
}
],
"priority": 1,
"idle_timeout": 0,
"cookie": 1,
"nw_src": "10.1.1.1/255.255.255.255"
},
{
"dl_type": "ip",
"stats": {
"packet_count": 0,
"byte_count": 0
},
"hard_timeout": 0,
"nw_dst": "10.1.1.1/255.255.255.255",
"nw_proto": 1,
"actions": [
{
"apply_actions": [
{
"output": "normal"
}
]
}
],
"priority": 1,
"idle_timeout": 0,
"cookie": 2,
"nw_src": "10.1.1.2/255.255.255.255"
},
{
"stats": {
"packet_count": 46,
"byte_count": 6755
},
"hard_timeout": 0,
"actions": [
{
"apply_actions": [
{
"output": "controller"
}
]
}
],
"priority": 0,
"idle_timeout": 0,
"cookie": 0
}
]
}
],
"name": "bridge1",
"is-enabled": true
}
]

I tested Lagopus version both 0.2.5 and 0.1.2, the situation were same, two PCs could not ping each other.

from lagopus.

Hi,

We found that the issue you have reported is caused by ryu's bug.
in to_rest method(), Ryu script compares the string value of NORMAL and the integer value of OpenFlow NORMAL port (OFPP_NORMAL = 0xfffffffa).

ryu/app/rest_firewall.py

    def to_rest(dp, openflow):
        if REST_ACTION in openflow:
            action_allow = 'OUTPUT:%d' % dp.ofproto.OFPP_NORMAL
            if openflow[REST_ACTION] == [action_allow]: 
                action = {REST_ACTION: REST_ACTION_ALLOW}
            else:
                action = {REST_ACTION: REST_ACTION_DENY}
        else:
            action = {REST_ACTION: 'Unknown action type.'}

        return action

In addition, Lagopus will drops a packet when hybrid mode is not enabled in the build configuretion phase (configure option) and NORMAL port is specified in OpenFlow output action.
If you want to enable OFPP_NORMAL in lagopus, please specify --enable-hybrid in configure.

Thanks,

from lagopus.

Thank you, that is useful.

from lagopus.

Hi @LucasShih,

Great, we close this issue.

Thanks!

from lagopus.

I am sorry but can anyone tell me how to specify "--enable-hybrid" in lagopus configure ? I am using lagosh to config the lagopus.

from lagopus.

Hi @Hong-Panha

Your question is not related issues, so could you create another issue if you have any future question?
The hybrid option of "--enable-hybrid" is configured by configure at the Lagopus installation steps.

from lagopus.

Hi @ynkjm

Actually i had the same problem as @LucasShih. I am trying to implement firewall on Lagopus. I run rest_firewall.py through ryu-manager just like @LucasShih did. But it didn't work. And i read this issue and saw you suggested the solutions but i am wonder how can i specify that. I installed lagopus following the QUICKSTART.md.

from lagopus.

Hi @Hong-Panha ,

Would you give us issue details that you face?

from lagopus.

I am using Lagopus as my open flow switch and i connect two pcs to the switch. Even I set the rule to give the permission for the packet but i still cannot ping. Please refer to the attachment file which consist of log from ryu- manager and rules of firewall.

from lagopus.

Excuse me for cutting in,

I wonder if "--enable-hybrid" is available with the non-DPDK version which specified with "--disable-dpdk" option.
On my environment, I'm using Mininet, so I can only use non-DPDK version.

With './configure --disable-dpdk --enable-hybrid=yes', the "output": "normal" action does not seem to work well.

Should "--enable-hybrid" be used with the DPDK version?

from lagopus.

@Hong-Panha,

Sorry for late reply.
Could you show us the flow entry and your configuration of Lagopus switch?

from lagopus.

Hi @ynkjm

Sorry for late response.

Here is the Lagopus Configuration and i will send the flow entry later when i do the experiment again cause i am on my vacation. I cannot access the lab.

PS: I haven't reinstall Lagopus with the "--enable-hybrid" yet.

interface {
interface01 {
type ethernet-dpdk-phy;
port-number 0;
mtu 1500;
ip-addr 127.0.0.1;
}
interface02 {
type ethernet-dpdk-phy;
port-number 1;
mtu 1500;
ip-addr 127.0.0.1;
}
interface03 {
type ethernet-dpdk-phy;
port-number 2;
mtu 1500;
ip-addr 127.0.0.1;
}
}
port {
port01 {
interface interface01;
}
port02 {
interface interface02;
}
port03 {
interface interface03;
}
}
channel {
channel01 {
dst-addr 127.0.0.1;
dst-port 6633;
local-addr 0.0.0.0;
local-port 0;
protocol tcp;
}
}
controller {
controller01 {
channel channel01;
role equal;
connection-type main;
}
}
bridge {
bridge01 {
dpid 1;
controller controller01;
port port01 1;
port port02 2;
port port03 3;
fail-mode secure;
flow-statistics true;
group-statistics true;
port-statistics true;
queue-statistics true;
table-statistics true;
reassemble-ip-fragments false;
max-buffered-packets 65535;
max-ports 255;
max-tables 255;
max-flows 4294967295;
packet-inq-size 1000;
packet-inq-max-batches 1000;
up-streamq-size 1000;
up-streamq-max-batches 1000;
down-streamq-size 1000;
down-streamq-max-batches 1000;
block-looping-ports false;
}
}

Thanks

from lagopus.

Hi @LucasShih,

I am trying to run Ryu firewall application on Lagopus switch but there are some problems just like you have mentioned above. Even though I have set up the rule to permit ping, i still cannot ping between my two PCs. And i already reinstalled my lagopus to hybrid mode.

I hope you can share some of your experience related to this issue.

Best Regards,
Panha

from lagopus.