Comments (14)
Hi @LucasShih,
Your output seems that you used the old version of lagosh (0.1.2?).
Could you check with lagopus 0.2.5 and the latest version of lagosh?
We run the same application on the same version with raw-socket mode.
It worked well with the following output:
% curl -X POST -d '{"nw_src": "10.0.0.2/32", "nw_dst": "10.0.0.3/32", "nw_proto": "ICMP", "actions": "DENY", "priority": "10"}' http://localhost:8080/firewall/rules/0000000000000001
[{"switch_id": "0000000000000001", "command_result": [{"result": "success", "details": "Rule added. : rule_id=1"}]}]
% curl http://localhost:8080/firewall/rules/0000000000000001[{"access_control_list": [{"rules": [{"priority": 10, "dl_type": "IPv4", "nw_proto": "ICMP", "nw_dst": "10.0.0.3/255.255.255.255", "nw_src": "10.0.0.2/255.255.255.255", "rule_id": 1, "actions": "DENY"}]}], "switch_id": "0000000000000001"}]
% ./test/datastore/tools/check_cmd.py
> flow
{"ret":"OK",
"data":[{"name":":bridge01",
"tables":[{"table":0,
"flows":[{"priority":65535,
"idle_timeout":0,
"hard_timeout":0,
"cookie":0,
"actions":[]},
{"priority":65534,
"idle_timeout":0,
"hard_timeout":0,
"cookie":0,
"dl_type":"arp",
"actions":[{"apply_actions":
[{"output":"normal"}]}]},
{"priority":10,
"idle_timeout":0,
"hard_timeout":0,
"cookie":1,
"dl_type":"ip",
"nw_proto":1,
"nw_src":"10.0.0.2\/255.255.255.255",
"nw_dst":"10.0.0.3\/255.255.255.255",
"actions":[{"apply_actions":
[{"output":"controller"}]}]},
{"priority":0,
"idle_timeout":0,
"hard_timeout":0,
"cookie":0,
"actions":[{"apply_actions":
[{"output":"controller"}]}]}]}]}]}
from lagopus.
Sorry I have not illustrate clearly.
On Ryu controller, I execute these command as below:
curl -X PUT http://localhost:8080/firewall/module/enable/0000000000000001
curl -X POST -d '{"nw_src ": "10.1.1.1/32" , "nw_dst ": "10.1.1.2/32" ,"nw_proto ": "ICMP", "actions": "ALLOW"}' http://localhost:8080/firewall/rules/0000000000000001
curl -X POST -d '{"nw_src ": "10.1.1.2/32" , "nw_dst ": "10.1.1.1/32" ,"nw_proto ": "ICMP", "actions": "ALLOW"}' http://localhost:8080/firewall/rules/0000000000000001
I wanted to the two PCs(10.1.1.1 and 10.1.1.2) can ping each other
But when I check the rules on controller the actions were shown DENY:
curl http://localhost:8080/firewall/rules/0000000000000001
[{"access_control_list": [{"rules": [{"priority": 1, "dl_type": "IPv4", "nw_proto": "ICMP", "nw_dst": "10.1.1.2/255.255.255.255", "nw_src": "10.1.1.1/255.255.255.255", "rule_id": 1, "actions": "DENY"}, {"priority": 1, "dl_type": "IPv4", "nw_proto": "ICMP", "nw_dst": "10.1.1.1/255.255.255.255", "nw_src": "10.1.1.2/255.255.255.255", "rule_id": 2, "actions": "DENY"}]}], "switch_id": "0000000000000001"}]
And the lagopus switch flow entries were right as below:
Lagosh> show flow
[
{
"tables": [
{
"table": 0,
"flows": [
{
"dl_type": "arp",
"stats": {
"packet_count": 752,
"byte_count": 45120
},
"hard_timeout": 0,
"actions": [
{
"apply_actions": [
{
"output": "normal"
}
]
}
],
"priority": 65534,
"idle_timeout": 0,
"cookie": 0
},
{
"dl_type": "ip",
"stats": {
"packet_count": 0,
"byte_count": 0
},
"hard_timeout": 0,
"nw_dst": "10.1.1.2/255.255.255.255",
"nw_proto": 1,
"actions": [
{
"apply_actions": [
{
"output": "normal"
}
]
}
],
"priority": 1,
"idle_timeout": 0,
"cookie": 1,
"nw_src": "10.1.1.1/255.255.255.255"
},
{
"dl_type": "ip",
"stats": {
"packet_count": 0,
"byte_count": 0
},
"hard_timeout": 0,
"nw_dst": "10.1.1.1/255.255.255.255",
"nw_proto": 1,
"actions": [
{
"apply_actions": [
{
"output": "normal"
}
]
}
],
"priority": 1,
"idle_timeout": 0,
"cookie": 2,
"nw_src": "10.1.1.2/255.255.255.255"
},
{
"stats": {
"packet_count": 46,
"byte_count": 6755
},
"hard_timeout": 0,
"actions": [
{
"apply_actions": [
{
"output": "controller"
}
]
}
],
"priority": 0,
"idle_timeout": 0,
"cookie": 0
}
]
}
],
"name": "bridge1",
"is-enabled": true
}
]
I tested Lagopus version both 0.2.5 and 0.1.2, the situation were same, two PCs could not ping each other.
from lagopus.
Hi,
We found that the issue you have reported is caused by ryu's bug.
in to_rest method()
, Ryu script compares the string value of NORMAL
and the integer value of OpenFlow NORMAL port (OFPP_NORMAL = 0xfffffffa
).
ryu/app/rest_firewall.py
def to_rest(dp, openflow):
if REST_ACTION in openflow:
action_allow = 'OUTPUT:%d' % dp.ofproto.OFPP_NORMAL
if openflow[REST_ACTION] == [action_allow]:
action = {REST_ACTION: REST_ACTION_ALLOW}
else:
action = {REST_ACTION: REST_ACTION_DENY}
else:
action = {REST_ACTION: 'Unknown action type.'}
return action
In addition, Lagopus will drops a packet when hybrid mode is not enabled in the build configuretion phase (configure option) and NORMAL port is specified in OpenFlow output action.
If you want to enable OFPP_NORMAL in lagopus, please specify --enable-hybrid
in configure.
Thanks,
from lagopus.
Thank you, that is useful.
from lagopus.
Hi @LucasShih,
Great, we close this issue.
Thanks!
from lagopus.
I am sorry but can anyone tell me how to specify "--enable-hybrid" in lagopus configure ? I am using lagosh to config the lagopus.
from lagopus.
Hi @Hong-Panha
Your question is not related issues, so could you create another issue if you have any future question?
The hybrid option of "--enable-hybrid" is configured by configure
at the Lagopus installation steps.
from lagopus.
Hi @ynkjm
Actually i had the same problem as @LucasShih. I am trying to implement firewall on Lagopus. I run rest_firewall.py through ryu-manager just like @LucasShih did. But it didn't work. And i read this issue and saw you suggested the solutions but i am wonder how can i specify that. I installed lagopus following the QUICKSTART.md.
from lagopus.
Hi @Hong-Panha ,
Would you give us issue details that you face?
from lagopus.
I am using Lagopus as my open flow switch and i connect two pcs to the switch. Even I set the rule to give the permission for the packet but i still cannot ping. Please refer to the attachment file which consist of log from ryu- manager and rules of firewall.
from lagopus.
Excuse me for cutting in,
I wonder if "--enable-hybrid" is available with the non-DPDK version which specified with "--disable-dpdk" option.
On my environment, I'm using Mininet, so I can only use non-DPDK version.
With './configure --disable-dpdk --enable-hybrid=yes', the "output": "normal" action does not seem to work well.
Should "--enable-hybrid" be used with the DPDK version?
from lagopus.
Sorry for late reply.
Could you show us the flow entry and your configuration of Lagopus switch?
from lagopus.
Hi @ynkjm
Sorry for late response.
Here is the Lagopus Configuration and i will send the flow entry later when i do the experiment again cause i am on my vacation. I cannot access the lab.
PS: I haven't reinstall Lagopus with the "--enable-hybrid" yet.
interface {
interface01 {
type ethernet-dpdk-phy;
port-number 0;
mtu 1500;
ip-addr 127.0.0.1;
}
interface02 {
type ethernet-dpdk-phy;
port-number 1;
mtu 1500;
ip-addr 127.0.0.1;
}
interface03 {
type ethernet-dpdk-phy;
port-number 2;
mtu 1500;
ip-addr 127.0.0.1;
}
}
port {
port01 {
interface interface01;
}
port02 {
interface interface02;
}
port03 {
interface interface03;
}
}
channel {
channel01 {
dst-addr 127.0.0.1;
dst-port 6633;
local-addr 0.0.0.0;
local-port 0;
protocol tcp;
}
}
controller {
controller01 {
channel channel01;
role equal;
connection-type main;
}
}
bridge {
bridge01 {
dpid 1;
controller controller01;
port port01 1;
port port02 2;
port port03 3;
fail-mode secure;
flow-statistics true;
group-statistics true;
port-statistics true;
queue-statistics true;
table-statistics true;
reassemble-ip-fragments false;
max-buffered-packets 65535;
max-ports 255;
max-tables 255;
max-flows 4294967295;
packet-inq-size 1000;
packet-inq-max-batches 1000;
up-streamq-size 1000;
up-streamq-max-batches 1000;
down-streamq-size 1000;
down-streamq-max-batches 1000;
block-looping-ports false;
}
}
Thanks
from lagopus.
Hi @LucasShih,
I am trying to run Ryu firewall application on Lagopus switch but there are some problems just like you have mentioned above. Even though I have set up the rule to permit ping, i still cannot ping between my two PCs. And i already reinstalled my lagopus to hybrid mode.
I hope you can share some of your experience related to this issue.
Best Regards,
Panha
from lagopus.
Related Issues (20)
- Setting queues on ports HOT 9
- Question about GTP support HOT 24
- lagoons with dpdk in ubuntu16.04 HOT 1
- Performance of rawsocket HOT 3
- GTP Decoded packets don't have IP version 4 bit are decoded as ip version 0 HOT 2
- Alphanumeric TEID field HOT 1
- Issue with setting dl_type
- Support for openflow resubmit action or any equivalent action HOT 1
- Support for ARM 32 bit HOT 2
- [GTPU] GTP-U support HOT 1
- X720 and jumbo frame HOT 4
- KNI interface support in Lagopus HOT 1
- DPDK software PMD's in lagopus HOT 1
- Issues when using OFPActionEncap with type IPv6
- Lagopus dpdk parameters HOT 1
- Bad I/O performance using librte_pmd_pcap on Veth ports. HOT 4
- Problems installing lagopus in Centos 7 HOT 1
- Seeing higher latency with Lagopus in 64bit mode compared to 32bit
- Double tagged frame once stripped is treated as untagged packets in lagopus
- Recommendation for memory profiler needed to narrow down possible lagopus memory leak
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lagopus.