def testTopo():
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
router = net.addDockerHost(
"router",
dimage="sec_test",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
internal1 = net.addDockerHost(
"internal1",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
internal2 = net.addDockerHost(
"internal2",
dimage="sec_test",
ip="192.168.0.2",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
internet = net.addDockerHost(
"internet",
dimage="sec_test",
ip="100.64.0.2",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
s2 = net.addSwitch("s2")
s3 = net.addSwitch("s3")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s2, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s3, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s1, internal1, bw=100, delay="10ms")
net.addLinkNamedIfce(s2, internal2, bw=100, delay="10ms")
net.addLinkNamedIfce(s3, internet, bw=100, delay="10ms")
try:
info("*** Starting network\n")
net.start()
# Setup the router
router.cmd("ip a a 10.0.0.1/24 dev router-s1")
router.cmd("ip a a 192.168.0.1/24 dev router-s2")
router.cmd("ip a a 100.64.0.1/24 dev router-s3")
# Configure the router as default gateway
internal1.cmd("ip r c default via 10.0.0.1")
internal2.cmd("ip r c default via 192.168.0.1")
internet.cmd("ip r c default via 100.64.0.1")
# Start some services
internal2.cmd("service ssh start")
internal2.cmd("nc -l -p 1337 &")
router.cmd("service ssh start")
# Create whitelist
info("*** Create firewall whitelist\n")
router.cmd("nft add table inet filter")
router.cmd(
"nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }"
)
router.cmd(
"nft add rule inet filter forward ct state established,related ip daddr 192.168.0.0/24 accept"
)
router.cmd(
"nft add rule inet filter forward ip saddr 10.0.0.0/24 accept")
router.cmd(
"nft add rule inet filter forward ip saddr 192.168.0.0/24 accept")
info(
"*** Rewrite the present filter ruleset and create one chain for each of the 3 networks.\n"
)
info(
"*** You can use the network interfaces to distinguish the traffic from the networks.\n"
)
info(
"*** Additionally filter traffic to the ports 22 and 1337 on the router and the internal networks.\n"
)
while not check_connectivity_between_hosts(router, internal1,
internal2, internet):
sleep(5)
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
def testTopo():
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1/24",
docker_args={"cpuset_cpus": "1", "cpu_quota": 25000},
)
server = net.addDockerHost(
"server",
dimage="nginx",
ip="10.0.0.2/24",
docker_args={"cpuset_cpus": "1", "cpu_quota": 25000},
)
attacker = net.addDockerHost(
"attacker",
dimage="sec_test",
ip="10.0.0.3/24",
docker_args={"cpuset_cpus": "0", "cpu_quota": 25000},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms")
try:
info("*** Starting network\n")
net.start()
info("** client -> server\n")
info("** " + str(test_connection(client, "10.0.0.2")) + "\n")
info("** attacker -> server\n")
info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n")
info(
"*** The client and the attacker can both communicate with the server \n\n"
)
# Create blacklist
info(
"*** Create a blacklist that stops the attacker from accessing the server.\n"
)
info(
"*** First create a nftables table for IPv4 and IPv6 and then add a base chain connected to the input hook.\n"
)
info(
"*** Finally add a rule to the base chain that drops packets coming from the attacker (10.0.0.3).\n"
)
info("*** When the attacker is blocked the exercise continues.\n")
# Check if client can connect and attacker can not.
while not test_connection(client, "10.0.0.2") or test_connection(
attacker, "10.0.0.2"
):
sleep(5)
info("** client -> server\n")
info("** " + str(test_connection(client, "10.0.0.2")) + "\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n")
info("\n")
info(
"*** The attacker is blocked and the client can still access the server.\n"
)
info("*** The attacker changed her IP address to a different one!\n")
info(
"*** Implement a whitelist that only allows the client to connect to the server.\n"
)
attacker_ip = "10.0.0." + str(random.randint(3, 250))
attacker.cmd("ip a f dev attacker-s1")
attacker.cmd("ip a a " + attacker_ip + "/24 dev attacker-s1")
info("** attacker -> server\n")
info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n")
# Check if client can connect and attacker can not.
while not test_connection(client, "10.0.0.2") or test_connection(
attacker, "10.0.0.2"
):
sleep(5)
info("\n")
# The server can talk back to server
info("** client -> server\n")
info("** " + str(test_connection(client, "10.0.0.2")) + "\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n")
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
}
if __name__ == "__main__":
setLogLevel("info")
net = Containernet(controller=Controller, link=TCLink, xterms=False)
mgr = VNFManager(net)
info("*** Add controller\n")
net.addController("c0")
info("*** Creating hosts\n")
h1 = net.addDockerHost(
"h1",
dimage="lat_bm",
ip="10.0.0.1",
docker_args={"hostname": "h1"},
)
h2 = net.addDockerHost("h2",
dimage="dev_test",
ip="10.0.0.2",
docker_args={"hostname": "h2"})
info("*** Adding switch and links\n")
switch1 = net.addSwitch("s1")
switch2 = net.addSwitch("s2")
net.addLink(switch1, h1, bw=10, delay="10ms")
net.addLink(switch1, switch2, bw=10, delay="10ms")
net.addLink(switch2, h2, bw=10, delay="10ms")
info("\n*** Starting network\n")
# Only used for auto-testing.
AUTOTEST_MODE = os.environ.get("COMNETSEMU_AUTOTEST_MODE", 0)
setLogLevel("info")
net = Containernet(controller=Controller, link=TCLink, xterms=False)
mgr = VNFManager(net)
info("*** Add controller\n")
net.addController("c0")
cwd = os.getcwd()
info("*** Creating hosts\n")
h1 = net.addDockerHost(
"h1",
dimage="network_measurement",
ip="10.0.0.1",
docker_args={"hostname": "h1"},
)
h2 = net.addDockerHost(
"h2",
dimage="network_measurement",
ip="10.0.0.2",
docker_args={
"hostname": "h2",
"volumes": {
f"{cwd}": {
"bind": "/flent_data",
"mode": "rw"
}
},
},
def test_ovx():
try:
ip = "127.0.0.1"
port = 6633
info("*** Add remote controller\n")
c = RemoteController("c", ip=ip, port=port)
net = Containernet(
autoStaticArp=True, autoSetMacs=True, controller=None, link=TCLink
)
net.addController(c)
info("*** Add switches, hosts and links \n")
# Add core switches
cores = {}
for switch in CORES:
cores[switch] = net.addSwitch(switch, dpid=(CORES[switch]["dpid"] % "0"))
# Add hosts and connect them to their core switch
for switch in CORES:
for count in range(1, FANOUT + 1):
# Add hosts
host = "h_%s_%s" % (switch, count)
ip = "10.0.0.%s" % count
mac = CORES[switch]["dpid"][4:] % count
h = net.addDockerHost(host, dimage="dev_test", ip=ip, mac=mac)
# Connect hosts to core switches
net.addLink(cores[switch], h)
# Connect core switches
net.addLink(cores["SFO"], cores["SEA"])
net.addLink(cores["SEA"], cores["SLC"])
net.addLink(cores["SFO"], cores["LAX"])
net.addLink(cores["LAX"], cores["SLC"])
net.addLink(cores["LAX"], cores["IAH"])
net.addLink(cores["SLC"], cores["MCI"])
net.addLink(cores["MCI"], cores["IAH"])
net.addLink(cores["MCI"], cores["ORD"])
net.addLink(cores["IAH"], cores["ATL"])
net.addLink(cores["ORD"], cores["ATL"])
net.addLink(cores["ORD"], cores["CLE"])
net.addLink(cores["ATL"], cores["IAD"])
net.addLink(cores["CLE"], cores["IAD"])
net.addLink(cores["CLE"], cores["EWR"])
net.addLink(cores["EWR"], cores["IAD"])
info("*** Start network... \n")
net.start()
print(
"Hosts configured with IPs, switches pointing to OpenVirteX at %s:%s"
% (ip, port)
)
info("[OVX] Create a virtual network between SEA and LAX\n")
wd = os.getcwd()
os.chdir(OVXCTL_DIR)
commands = [
# Create virtual networks
"python2 ovxctl.py createNetwork tcp:{}:{} 10.0.0.0 16".format(
SDN_CONTROLLER_IP, SDN_CONTROLLER_PORT
),
# Create virtual switches
"python2 ovxctl.py -n createSwitch 1 00:00:00:00:00:00:01:00",
"python2 ovxctl.py -n createSwitch 1 00:00:00:00:00:00:02:00",
"python2 ovxctl.py -n createSwitch 1 00:00:00:00:00:00:03:00",
# Create virtual ports
"python2 ovxctl.py -n createPort 1 00:00:00:00:00:00:01:00 1",
"python2 ovxctl.py -n createPort 1 00:00:00:00:00:00:01:00 5",
"python2 ovxctl.py -n createPort 1 00:00:00:00:00:00:02:00 5",
"python2 ovxctl.py -n createPort 1 00:00:00:00:00:00:02:00 6",
"python2 ovxctl.py -n createPort 1 00:00:00:00:00:00:03:00 5",
"python2 ovxctl.py -n createPort 1 00:00:00:00:00:00:03:00 2",
# Create virtual links
"python2 ovxctl.py -n connectLink 1 00:a4:23:05:00:00:00:01 2 00:a4:23:05:00:00:00:02 1 spf 1",
"python2 ovxctl.py -n connectLink 1 00:a4:23:05:00:00:00:02 2 00:a4:23:05:00:00:00:03 1 spf 1",
# Connect hosts
"python2 ovxctl.py -n connectHost 1 00:a4:23:05:00:00:00:01 1 00:00:00:00:01:01",
"python2 ovxctl.py -n connectHost 1 00:a4:23:05:00:00:00:03 2 00:00:00:00:03:02",
# Start virtual network
"python2 ovxctl.py -n startNetwork 1",
]
for cmd in commands:
ret = check_output(sh_split(cmd), encoding="utf-8")
print(ret)
os.chdir(wd)
CLI(net)
except Exception as e:
error(e)
finally:
net.stop()
def myTopology():
net = Containernet(
switch=OVSKernelSwitch,
build=False,
autoSetMacs=True,
autoStaticArp=True,
link=TCLink,
)
mgr = VNFManager(net)
setLogLevel("info")
info("*** Add Switches\n")
sconfig1 = {"dpid": "%016x" % 1}
sconfig2 = {"dpid": "%016x" % 2}
sconfig3 = {"dpid": "%016x" % 3}
sconfig4 = {"dpid": "%016x" % 4}
net.addSwitch("s1", **sconfig1)
net.addSwitch("s2", **sconfig2)
net.addSwitch("s3", **sconfig3)
net.addSwitch("s4", **sconfig4)
info("*** Add Hosts\n")
host_config = dict(inNamespace=True)
#net.addHost("h1", **host_config, ip="192.0.0.1")
h1 = net.addDockerHost(
"h1",
dimage="dev_test",
ip="192.0.0.1",
docker_args={"hostname": "h1"},
)
h2 = net.addDockerHost(
"h2",
dimage="dev_test",
ip="192.0.0.2",
docker_args={"hostname": "h2"},
)
h3 = net.addDockerHost(
"h3",
dimage="dev_test",
ip="192.0.0.3",
docker_args={"hostname": "h3"},
)
h4 = net.addDockerHost(
"h4",
dimage="dev_test",
ip="192.0.0.4",
docker_args={"hostname": "h4"},
)
h5 = net.addDockerHost(
"h5",
dimage="dev_test",
ip="192.0.0.5",
docker_args={"hostname": "h5"},
)
h6 = net.addDockerHost(
"h6",
dimage="dev_test",
ip="192.0.0.6",
docker_args={"hostname": "h6"},
)
h7 = net.addDockerHost(
"h7",
dimage="dev_test",
ip="192.0.0.7",
docker_args={"hostname": "h7"},
)
info("*** Add Links\n")
net.addLink("h1", "s1", bw=B1)
net.addLink("h2", "s1", bw=B1)
net.addLink("h3", "s1", bw=B1)
net.addLink("h4", "s1", bw=B1)
net.addLink("s1", "s2", bw=B1)
net.addLink("s2", "s3", bw=B1, delay=DELAY)
net.addLink("s3", "s4", bw=B1, delay=DELAY)
net.addLink("s2", "s4", bw=B2)
net.addLink("s1", "s4", bw=B1)
net.addLink("s4", "h5", bw=B1)
net.addLink("s4", "h6", bw=B1)
net.addLink("s4", "h7", bw=B1)
info("*** Add controller\n")
controller = RemoteController("c1", ip="127.0.0.1", port=6633)
net.addController(controller)
net.build()
net.start()
srv1 = mgr.addContainer(
"srv1",
"h1",
"echo_server",
"python /home/server_ad.py",
docker_args={},
)
srv2 = mgr.addContainer(
"srv2",
"h2",
"echo_server",
"python /home/server.py",
docker_args={},
)
srv3 = mgr.addContainer(
"srv3",
"h3",
"echo_server",
"python /home/server.py",
docker_args={},
)
srv4 = mgr.addContainer(
"srv4",
"h4",
"dev_test",
"bash",
docker_args={},
)
srv5 = mgr.addContainer(
"srv5",
"h5",
"dev_test",
"bash",
docker_args={},
)
srv6 = mgr.addContainer(
"srv6",
"h6",
"dev_test",
"bash",
docker_args={},
)
srv7 = mgr.addContainer(
"srv7",
"h7",
"dev_test",
"bash",
docker_args={},
)
spawnXtermDocker("srv5")
spawnXtermDocker("srv1")
CLI(net)
mgr.removeContainer("srv1")
mgr.removeContainer("srv2")
mgr.removeContainer("srv3")
mgr.removeContainer("srv4")
mgr.removeContainer("srv5")
mgr.removeContainer("srv6")
mgr.removeContainer("srv7")
net.stop()
mgr.stop()
print("Run this script with sudo.", file=sys.stderr)
sys.exit(1)
setLogLevel("error")
try:
net = Containernet(xterms=False, )
dev = net.addDockerHost(
"dev",
dimage=f"{DIMAGE}",
ip="10.0.1.11/16",
docker_args={
"hostname": "dev",
"volumes": {
"/dev": {
"bind": "/dev",
"mode": "rw"
},
CURRENT_DIR: {
"bind": "/coin_dl/share",
"mode": "rw"
},
},
"working_dir": "/coin_dl/share",
},
)
net.start()
CLI(net)
finally:
net.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
center = net.addDockerHost(
"center",
dimage="sec_test",
ip="10.0.0.1",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
client1 = net.addDockerHost(
"h2",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
client2 = net.addDockerHost(
"h3",
dimage="sec_test",
ip="10.0.0.3",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
client3 = net.addDockerHost(
"h4",
dimage="sec_test",
ip="10.0.0.4",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, center, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, client1, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, client2, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, client3, bw=10, delay="10ms")
try:
info("*** Starting network\n")
net.start()
info("*** Create wg key pairs\n")
center_private_key, center_public_key = generate_key_pair_for_host(
center)
h2_private_key, h2_public_key = generate_key_pair_for_host(client1)
h3_private_key, h3_public_key = generate_key_pair_for_host(client2)
h4_private_key, h4_public_key = generate_key_pair_for_host(client3)
info("*** Create wg interfaces\n")
info(
"*** Create a star topology with center as the center. Instead of using wg tool write a configuration for the\n"
)
info(
"*** interface and place it in /etc/wireguard/wg0.conf, then use the wg-quick command to setup the interface.\n"
)
info(
"*** The wg and wg-quick manpages contain a reference for the syntax of the configuration file.\n"
)
info(
"*** Use the network 192.168.0.0/24 for the inner tunnel and asign 192.168.0.1 to the center.\n"
)
while (not test_connection(client1, "192.168.0.1")
or not test_connection(client2, "192.168.0.1")
or not test_connection(client3, "192.168.0.1")):
sleep(10)
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
def testMuNF(nano_cpus):
net = Containernet(controller=Controller, link=TCLink)
mgr = VNFManager(net)
start_ts = time.time()
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding Docker hosts\n")
pktgen = net.addDockerHost(
"pktgen",
dimage=f"trex:{TREX_VER}",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "0",
"hostname": "pktgen",
"volumes": {
os.path.join(TREX_CONF_DIR, "trex_cfg.yaml"): {
"bind": "/etc/trex_cfg.yaml",
"mode": "rw",
},
TREX_CONF_DIR: {"bind": f"/trex/{TREX_VER}/local", "mode": "rw"},
},
},
)
dut = net.addDockerHost(
"dut",
dimage=f"ffpp:{FFPP_VER}",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "1,2",
"nano_cpus": int(nano_cpus),
"hostname": "dut",
"volumes": {
"/sys/bus/pci/drivers": {"bind": "/sys/bus/pci/drivers", "mode": "rw"},
"/sys/kernel/mm/hugepages": {
"bind": "/sys/kernel/mm/hugepages",
"mode": "rw",
},
"/sys/devices/system/node": {
"bind": "/sys/devices/system/node",
"mode": "rw",
},
"/dev": {"bind": "/dev", "mode": "rw"},
FFPP_DIR: {"bind": "/ffpp", "mode": "rw"},
},
},
)
s1 = net.addSwitch("s1")
# Control plane links.
net.addLinkNamedIfce(s1, pktgen)
net.addLinkNamedIfce(s1, dut)
# Data plane links.
net.addLink(
dut, pktgen, bw=1000, delay="1ms", intfName1="vnf-in", intfName2="pktgen-out"
)
net.addLink(
dut, pktgen, bw=1000, delay="1ms", intfName1="vnf-out", intfName2="pktgen-in"
)
pktgen.cmd("ip addr add 192.168.17.1/24 dev pktgen-out")
pktgen.cmd("ip addr add 192.168.18.1/24 dev pktgen-in")
dut.cmd("ip addr add 192.168.17.2/24 dev vnf-in")
dut.cmd("ip addr add 192.168.18.2/24 dev vnf-out")
# TODO: Deploy a chain of CNFs.
cnfs = list()
for n in range(1):
cnf = mgr.addContainer(
f"cnf{n}",
"dut",
f"ffpp:{FFPP_VER}",
"/bin/bash",
docker_args={
"volumes": {
"/sys/bus/pci/drivers": {
"bind": "/sys/bus/pci/drivers",
"mode": "rw",
},
"/sys/kernel/mm/hugepages": {
"bind": "/sys/kernel/mm/hugepages",
"mode": "rw",
},
"/sys/devices/system/node": {
"bind": "/sys/devices/system/node",
"mode": "rw",
},
"/dev": {"bind": "/dev", "mode": "rw"},
FFPP_DIR: {"bind": "/ffpp", "mode": "rw"},
}
},
)
cnfs.append(cnf)
net.start()
# Avoid looping
pktgen.cmd("ip addr flush dev pktgen-s1")
pktgen.cmd("ip link set pktgen-s1 down")
dut.cmd("ip addr flush dev dut-s1")
dut.cmd("ip link set dut-s1 down")
pktgen.cmd("ping -c 5 192.168.17.2")
pktgen.cmd("ping -c 5 192.168.18.2")
duration = time.time() - start_ts
print(f"Setup duration: {duration:.2f} seconds.")
CLI(net)
info("*** Stopping network\n")
net.stop()
mgr.stop()
from mininet.node import Controller
if __name__ == "__main__":
setLogLevel("info")
net = Containernet(controller=Controller, link=TCLink, xterms=False)
mgr = VNFManager(net)
info("*** Add controller\n")
net.addController("c0")
info("*** Creating hosts\n")
h1 = net.addDockerHost(
"h1",
dimage="dev_test",
ip="10.0.0.1",
docker_args={"hostname": "h1"},
)
h2 = net.addDockerHost(
"h2",
dimage="dev_test",
ip="10.0.0.2",
docker_args={"hostname": "h2"},
)
h3 = net.addDockerHost(
"h3",
dimage="dev_test",
ip="10.0.0.3",
docker_args={"hostname": "h3"},
def run_benchmark(proto):
net = Containernet(controller=Controller,
link=TCLink,
switch=OVSSwitch,
autoStaticArp=False)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
# MARK: The relay should run on a different CPU core as the client and
# server. To avoid cache misses of the VNF running on the relay.
info("*** Adding client and server.\n")
client = net.addDockerHost(
"client",
dimage="lat_bm:latest",
ip="10.0.0.100/24",
docker_args={
"cpuset_cpus": "0",
"volumes": {
"%s" % FFPP_DIR: {
"bind": "/ffpp",
"mode": "ro"
}
},
},
)
net.addLinkNamedIfce(s1, client, delay="100ms")
server = net.addDockerHost(
"server",
dimage="lat_bm:latest",
ip="10.0.0.200/24",
docker_args={"cpuset_cpus": "0"},
)
net.addLinkNamedIfce(s1, server, delay="100ms")
if ADD_RELAY:
cpus_relay = "1"
if TEST_NF == "l2fwd-power":
print(
"*** [INFO] l2fwd-power application require at least one master and one slave core.\n"
"The master handles timers and slave core handles forwarding task."
)
cpus_relay = "0,1"
info("*** Adding relay.\n")
# Need additional mounts to run DPDK application
# MARK: Just used for development, never use this in production container
# setup.
relay = net.addDockerHost(
"relay",
dimage="ffpp:latest",
ip="10.0.0.101/24",
docker_args={
"cpuset_cpus": cpus_relay,
"nano_cpus": int(1.0 * 1e9),
"volumes": {
"/sys/bus/pci/drivers": {
"bind": "/sys/bus/pci/drivers",
"mode": "rw",
},
"/sys/kernel/mm/hugepages": {
"bind": "/sys/kernel/mm/hugepages",
"mode": "rw",
},
"/sys/devices/system/node": {
"bind": "/sys/devices/system/node",
"mode": "rw",
},
"/dev": {
"bind": "/dev",
"mode": "rw"
},
"%s" % FFPP_DIR: {
"bind": "/ffpp",
"mode": "rw"
},
},
},
)
net.addLinkNamedIfce(s1, relay, delay="100ms")
info("*** Starting network\n")
net.start()
net.pingAll()
nodes = [n.name for n in net.hosts]
sw_ifaces = [f"s1-{n}" for n in nodes]
info("*** Disable kernel IP checksum offloading.\n")
for iface in sw_ifaces:
check_output(split(f"ethtool --offload {iface} rx off tx off"))
node_portnum_map = {n: getOFPort(s1, f"s1-{n}") for n in nodes}
if ADD_RELAY:
info("*** Add OpenFlow rules for traffic redirection.\n")
peer_map = {"client": "relay", "relay": "server", "server": "client"}
for p in ["udp", "tcp"]:
for peer in peer_map.keys():
check_output(
split(
'ovs-ofctl add-flow s1 "{},in_port={},actions=output={}"'
.format(p, node_portnum_map[peer],
node_portnum_map[peer_map[peer]])))
if DEBUG:
flow_table = s1.dpctl("dump-flows")
print(f"*** Current flow table of s1: \n {flow_table}")
info("*** Run DPDK helloworld\n")
relay.cmd("cd $RTE_SDK/examples/helloworld && make")
ret = relay.cmd(
"cd $RTE_SDK/examples/helloworld/build && ./helloworld")
print(f"Output of helloworld app:\n{ret}")
DISPATCHER[TEST_NF](relay)
server.cmd("pkill sockperf")
setup_server(server, proto)
for mps in LAT_TEST_PARAS["client_mps_list"]:
run_latency_test(server, client, proto, mps)
time.sleep(3)
if ENTER_CLI:
info("*** Enter CLI\n")
info("Use help command to get CLI usages\n")
CLI(net)
info("*** Stopping network")
net.stop()
setLogLevel("error")
net = None
try:
start = time.time()
net = Containernet(xterms=False)
dev = net.addDockerHost(
"dev",
dimage=f"ffpp:{FFPP_VER}",
ip="10.0.1.11/16",
docker_args={
"hostname": "dev",
"volumes": {
"/dev": {
"bind": "/dev",
"mode": "rw"
},
CURRENT_DIR: {
"bind": "/ffpp",
"mode": "rw"
},
},
"working_dir": "/ffpp",
},
)
net.start()
print(
"Try to uninstall libffpp to avoid conflicts with development sources."
)
_ = dev.cmd("bash ./scripts/uninstall_ninja.sh")
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
server = net.addDockerHost(
"server",
dimage="nginx",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=100, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=100, delay="10ms")
info("*** Starting network\n")
net.start()
info("** client -> server\n")
test_connection(client, "10.0.0.2")
info("\n")
# Create whitelist
info("*** Create whitelist\n")
server.cmd("nft add table inet filter")
server.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }"
)
server.cmd("nft add rule inet filter input ip saddr 10.0.0.1 accept")
# The server can talk back to client
info("** server -> client\n")
test_connection(server, "10.0.0.2")
# But he cannot talk to some other server on the internet, this is a problem
info("** server -> internet\n")
test_connection(server, "8.8.8.8")
info("\n")
info("*** Enable connection tracking\n")
server.cmd(
"nft add rule inet filter input ct state established,related accept")
info("** server -> internet\n")
test_connection(server, "8.8.8.8")
# client is overdoing it a little and our server cannot handle all of its requests...
info("*** client is flodding server with too many requests!\n")
server.cmd("iperf -s &")
print(client.cmd("iperf -c 10.0.0.2"))
server.cmd(
"nft insert rule inet filter input position 2 limit rate over 1 mbytes/second drop"
)
print(client.cmd("iperf -c 10.0.0.2"))
info("\n")
info("*** Stopping network")
net.stop()
def testTopo():
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
server = net.addDockerHost(
"server",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
attacker = net.addDockerHost(
"attacker",
dimage="sec_test",
ip="10.0.0.3",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms")
try:
info("*** Starting network\n")
net.start()
info("*** Attacker, Client and Server setup\n")
client.cmd("ping -c 10 10.0.0.2")
attacker.cmd(
"printf -- '#!/bin/bash\narpspoof -i attacker-s1 -t 10.0.0.1 10.0.0.2 >> /dev/null &\narpspoof -i attacker-s1 -t 10.0.0.2 10.0.0.1 >> /dev/null &' > spoof.sh; chmod +x spoof.sh; ./spoof.sh"
)
sleep(10)
attacker.cmd(
"tcpdump -vvv -i attacker-s1 -B 100000 ip >> messages.log &")
sleep(10)
server.cmd("mkdir -p /var/run/vsftpd/empty")
server.cmd("vsftpd &")
info(
"*** Setup a tunnel to protect the ftp request from the MitM attacker!\n"
)
info(
"*** First create key pairs for the client and server and then establish a WireGuard tunnel between them\n"
)
info("*** Use the inner tunnel ip 192.168.0.2 for the server!\n")
x = 0
while not check_secure_network_tunnel(attacker, client, x):
sleep(10)
x = x + 1
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
server = net.addDockerHost(
"server",
dimage="nginx",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
attacker = net.addDockerHost(
"attacker",
dimage="sec_test",
ip="10.0.0.3/24",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms")
info("*** Starting network\n")
net.start()
info("** client -> server\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
test_connection(attacker, "10.0.0.2")
info("\n")
# Create blacklist
info("*** Create blacklist\n")
server.cmd("nft add table inet filter")
server.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }"
)
server.cmd("nft add rule inet filter input ip saddr 10.0.0.3 drop")
# Check if client can connect and attacker can not.
info("** client -> server\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
test_connection(attacker, "10.0.0.2")
# attacker changes her ip address
info("*** attacker changes ip address to a different one!\n")
attacker.cmd("ip a f dev attacker-s1")
attacker.cmd("ip a a 10.0.0." + str(random.randint(3, 250)) +
"/24 dev attacker-s1")
# attacker can connect again
info("** attacker -> server\n")
test_connection(attacker, "10.0.0.2")
info("\n")
# Change to whitelist
info("*** Create whitelist\n")
server.cmd("nft flush rule inet filter input")
server.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }"
)
server.cmd("nft add rule inet filter input ip saddr 10.0.0.1 accept")
# The server can talk back to server
info("** client -> server\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
test_connection(attacker, "10.0.0.2")
info("*** Stopping network")
net.stop()
def create_dumbbell():
"""Create a single dumbbell topology with the given number of hosts on one side"""
num_hosts = 2
net = Containernet(
controller=Controller,
link=TCLink,
xterms=False,
)
topo_params = {
"sfc_port": SFC_PORT,
"no_sfc_port": NO_SFC_PORT,
"control_port": CONTROL_PORT,
}
nodes = {}
info("*** Adding controller, listening on port 6653, use OpenFlow 1.3\n")
c1 = net.addController(
"c1", controller=RemoteController, port=6653, protocols="OpenFlow13"
)
topo_params.update({"controllers": [{"name": "c1", "port": 6653}]})
info(f"*** Adding {num_hosts} clients and {num_hosts} servers\n")
# Boilerplate code...
clients = []
servers = []
topo_params["clients"] = {}
topo_params["servers"] = {}
# TODO: Play with cpuset_cpus if measurement results are not good enough
for i in range(1, num_hosts + 1):
client_ip = f"10.0.1.{10+i}/16"
server_ip = f"10.0.2.{10+i}/16"
client = net.addDockerHost(
f"client{i}",
dimage=f"{DIMAGE}",
ip=client_ip,
docker_args={
"cpuset_cpus": "0",
"nano_cpus": int(1e9),
"hostname": f"client{i}",
"working_dir": "/coin_dl",
"volumes": {
CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"},
},
},
)
server = net.addDockerHost(
f"server{i}",
dimage=f"{DIMAGE}",
ip=server_ip,
docker_args={
"cpuset_cpus": "1",
"nano_cpus": int(1e9),
"hostname": f"server{i}",
"working_dir": "/coin_dl",
"volumes": {
CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"},
},
},
)
clients.append(client)
topo_params["clients"][client.name] = {
"ip": client_ip,
}
servers.append(server)
topo_params["servers"][server.name] = {
"ip": server_ip,
}
info("*** Adding two switches and two VNF nodes\n")
s1 = net.addSwitch("s1", protocols="OpenFlow13")
s2 = net.addSwitch("s2", protocols="OpenFlow13")
switches = [s1, s2]
DPDK_VOLUME = {
"/sys/kernel/mm/hugepages": {
"bind": "/sys/kernel/mm/hugepages",
"mode": "rw",
},
"/dev": {"bind": "/dev", "mode": "rw"},
CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"},
}
vnfs = []
for i in range(1, len(switches) + 1):
vnf = net.addDockerHost(
f"vnf{i}",
dimage=f"{DIMAGE}",
ip=f"10.0.3.{10+i}/16",
docker_args={
"cpuset_cpus": "3",
"nano_cpus": int(9e8 / 2),
"hostname": f"vnf{i}",
"volumes": DPDK_VOLUME,
"working_dir": "/coin_dl",
},
)
vnfs.append(vnf)
# TODO: Pick up the suitable parameters here.
# TODO: Use better DS and names for parameters here.
BW_MAX_NODE = 1000 # 1Gb/sec
DELAY_MIN_NODE_MS = 1
DELAY_MIN_NODE_MS_STR = f"{DELAY_MIN_NODE_MS}ms"
BW_MIN_NODE = 100
DELAY_MAX_NODE_MS = 10
DELAY_MAX_NODE_MS_STR = f"{DELAY_MAX_NODE_MS}ms"
BW_BOTTLENECK = 100 # Mbits/s
DELAY_BOTTLENECK_MS = 100
DELAY_BOTTLENECK_MS_STR = str(DELAY_BOTTLENECK_MS) + "ms"
BDP = ((BW_BOTTLENECK * 10 ** 6) * (DELAY_BOTTLENECK_MS * 10 ** -3)) / 8.0
info(f"\n*** The BDP of the bottleneck link is {BDP:.2f} B\n")
topo_params.update(
{
"bottleneck": {
"bandwidth_mbps": BW_BOTTLENECK,
"delay_ms": DELAY_BOTTLENECK_MS,
"BDP_B": BDP,
}
}
)
info("*** Creating links\n")
for client, server in zip(clients, servers):
# TODO (Zuo): Check if max_queue_size need to be added here
net.addLinkNamedIfce(client, s1, bw=BW_MAX_NODE, delay=DELAY_MIN_NODE_MS_STR)
# Here... the server should also be a "bottleneck"
net.addLinkNamedIfce(s2, server, bw=BW_MIN_NODE, delay=DELAY_MAX_NODE_MS_STR)
# Add bottleneck link
net.addLinkNamedIfce(s1, s2, bw=BW_BOTTLENECK, delay=DELAY_BOTTLENECK_MS_STR)
for switch, vnf in zip(switches, vnfs):
# TODO (Zuo): Check if max_queue_size need to be added here, to remove additional queuing latency of VNF data interfaces
net.addLinkNamedIfce(switch, vnf, bw=BW_MAX_NODE, delay="0ms")
with open("./dumbbell.json", "w+", encoding="ascii") as f:
json.dump(topo_params, f, sort_keys=True, indent=2)
nodes["clients"] = clients
nodes["servers"] = servers
nodes["switches"] = switches
nodes["vnfs"] = vnfs
nodes["controllers"] = [c1]
return (net, nodes, topo_params)