def add_block_rule(self, rule_action, src_ip, dst_ip, trans_proto, port):
switch_list = get_switch(self.topology_api_app, None)
for switch in switch_list:
datapath = switch.dp
parser = datapath.ofproto_parser
actions = [] # drop
# initial match field
match_dict = {'eth_type': ether.ETH_TYPE_IP}
# fill into the layer3 and layer 4 protocol
# if port == 0, means block all protocol
if port >= 0:
if trans_proto == inet.IPPROTO_TCP:
match_dict.update({
'ip_proto': trans_proto,
'tcp_dst': port
})
else: # udp
match_dict.update({
'ip_proto': trans_proto,
'udp_dst': port
})
if len(src_ip) > 0: # not ''
match_dict.update({'ipv4_src': src_ip})
if len(dst_ip) > 0: # not ''
match_dict.update({'ipv4_dst': dst_ip})
match = parser.OFPMatch(**match_dict)
settings = firewall_settings.load()
fw_priority = settings['priority']
if rule_action == 'add':
ofp_helper.add_flow(datapath, fw_priority, match, actions)
elif rule_action == 'delete': # 'off'
ofp_helper.del_flow(datapath, match, fw_priority)
self._request_stats(datapath) # update flow list
def _flow_stats_reply_handler(self, ev):
settings = firewall_settings.load()
settings['blocking_rule'] = []
body = ev.msg.body
for stat in body:
flow = {}
if (stat.instructions == []):
flow.update({'srcIP': stat.match.get('ipv4_src')})
flow.update({'dstIP': stat.match.get('ipv4_dst')})
if (stat.match.get('ip_proto') == inet.IPPROTO_TCP):
flow.update({'tranPort': stat.match.get('tcp_dst')})
flow.update({'tranProtocol': 'TCP'})
elif (stat.match.get('ip_proto') == inet.IPPROTO_UDP):
flow.update({'tranPort': stat.match.get('udp_dst')})
flow.update({'tranProtocol': 'UDP'})
else:
flow.update({'tranPort': ''})
flow.update({'tranProtocol': ''})
settings['blocking_rule'].append(flow)
firewall_settings.save(settings)
def _flow_stats_reply_handler(self, ev):
settings = firewall_settings.load()
settings['blocking_rule'] = []
body = ev.msg.body
for stat in body:
flow = {}
if (stat.instructions == []):
flow.update({'srcIP': stat.match.get('ipv4_src')})
flow.update({'dstIP': stat.match.get('ipv4_dst')})
if (stat.match.get('ip_proto') == inet.IPPROTO_TCP):
flow.update({'tranPort': stat.match.get('tcp_dst')})
flow.update({'tranProtocol': 'TCP'})
elif (stat.match.get('ip_proto') == inet.IPPROTO_UDP):
flow.update({'tranPort': stat.match.get('udp_dst')})
flow.update({'tranProtocol': 'UDP'})
else:
flow.update({'tranPort': ''})
flow.update({'tranProtocol': ''})
settings['blocking_rule'].append(flow)
firewall_settings.save(settings)
def add_block_rule(self, rule_action, src_ip, dst_ip, trans_proto, port):
switch_list = get_switch(self.topology_api_app, None)
for switch in switch_list:
datapath = switch.dp
parser = datapath.ofproto_parser
actions = [] # drop
# initial match field
match_dict = {'eth_type': ether.ETH_TYPE_IP}
# fill into the layer3 and layer 4 protocol
# if port == 0, means block all protocol
if port >= 0:
if trans_proto == inet.IPPROTO_TCP:
match_dict.update({'ip_proto': trans_proto,
'tcp_dst': port})
else: # udp
match_dict.update({'ip_proto': trans_proto,
'udp_dst': port})
if len(src_ip) > 0: # not ''
match_dict.update({'ipv4_src': src_ip})
if len(dst_ip) > 0: # not ''
match_dict.update({'ipv4_dst': dst_ip})
match = parser.OFPMatch(**match_dict)
settings = firewall_settings.load()
fw_priority = settings['priority']
if rule_action == 'add':
ofp_helper.add_flow(datapath, fw_priority, match, actions)
elif rule_action == 'delete': # 'off'
ofp_helper.del_flow(datapath, match, fw_priority)
self._request_stats(datapath) # update flow list
def get_block_list(self, req, **kwargs):
settings = firewall_settings.load()
blocking_rule = settings['blocking_rule']
dic = {'blocking_rule': blocking_rule}
body = json.dumps(dic)
return Response(status=200, content_type='application/json', body=body)
def get_block_list(self, req, **kwargs):
settings = firewall_settings.load()
blocking_rule = settings['blocking_rule']
dic = {'blocking_rule': blocking_rule}
body = json.dumps(dic)
return Response(status=200, content_type='application/json', body=body)
