def permit_ether_addr(self, eaddr):
if not self.st:
print "some object is not initialized yet"
return False
else:
eaddr = util.convert_to_eaddr(eaddr)
return (eaddr in self.st['permitted'].keys())
def ws_whitelist_eth(request, args):
""" Remove a mac address from filtering eap traffic. """
eaddr = args.get('eaddr')
if not eaddr: return webservice.badRequest(request, "missing eaddr")
eaddr = util.convert_to_eaddr(eaddr)
data = Homework._dhcp.whitelist_mac_addr(eaddr)
return json.dumps(Homework._dhcp.get_blacklist_mac_status())
def handle_dns(self, dpid, inport, ofp_reason, total_frame_len, buffer_id, packet):
eaddr = util.convert_to_eaddr(packet.src)
dnsh = packet.find('dns')
if not self.permit_ether_addr(eaddr):
print "Dropping DNS Packet - MAC Address not allowed"
return STOP
if not dnsh:
print "Invalid DNS packet:", dnsh, packet
return CONTINUE
print "DNS Packet:", dnsh
for question in dnsh.questions:
if eaddr in Homework.st['dnsList'] and question.name in Homework.st['dnsList'][eaddr]:
print "DNS Resquest blocked for", question.name
return STOP
flow = util.extract_flow(packet)
Homework.install_datapath_flow(
dpid, flow, 3, 10,
[[openflow.OFPAT_OUTPUT, [-1, openflow.OFPP_NORMAL]]],
buffer_id, openflow.OFP_DEFAULT_PRIORITY, inport, packet.arr
)
return CONTINUE
def permit_dns(self, eaddr, hostname):
if not self.st:
print "some object is not initialized yet"
return False
else:
eaddr = util.convert_to_eaddr(eaddr)
return (eaddr in self.st['dnsList'].keys() and hostname in self.st['dnsList'][eaddr].keys())
def status(eaddr=None):
""" Permit/Deny status of specified/all addresses. """
if not eaddr:
permitted = { "permitted": list(map(str, Homework.st['permitted'].keys())), "denied": list(map(str, Homework.st['denied'].keys())) }
else:
eaddr = util.convert_to_eaddr(eaddr)
result = "permitted" if eaddr in permitted else "denied"
return json.dumps(permitted)
def ws_blacklist_eth(request, args):
""" Aggressive mac address exclusion at the level of wpa connectivity. """
eaddr = args.get('eaddr')
if not eaddr: return webservice.badRequest(request, "missing eaddr")
eaddr = util.convert_to_eaddr(eaddr)
if eaddr in Homework.st['permitted']:
del Homework.st['permitted'][eaddr]
Homework._dhcp.revoke_mac_addr(eaddr)
Homework._dhcp.blacklist_mac_addr(eaddr)
return json.dumps(Homework._dhcp.get_blacklist_mac_status())
def dns_permit(eaddr, hostname):
print "DNS PERMIT", eaddr, hostname
if not (eaddr and hostname): return
eaddr = util.convert_to_eaddr(eaddr)
Homework.st['dnsList'][eaddr].discard(hostname)
return status()
def deny(eaddr, ipaddr = None):
""" Deny tx/rx to/from a specified Ethernet address. """
print "DENY", eaddr, ipaddr
if not (eaddr or ipaddr): return
eaddr = util.convert_to_eaddr(eaddr)
if eaddr in Homework.st['permitted']:
del Homework.st['permitted'][eaddr]
data = Homework._dhcp.revoke_mac_addr(eaddr)
return status()
def status(eaddr=None):
""" Permit/Deny status of specified/all addresses. """
if not eaddr:
dnsList = dict()
for key in Homework.st['dnsList']:
dnsList[str(key)] = list(Homework.st['dnsList'][key])
permitted = { "permitted": list(map(str, Homework.st['permitted'].keys())), "dnsList": dnsList, }
else:
eaddr = util.convert_to_eaddr(eaddr)
result = "permitted" if eaddr in permitted else "denied"
return json.dumps(permitted)
def dns_deny(eaddr, hostname):
""" Deny tx/rx to/from a specified Ethernet address. """
print "DENY", eaddr, hostname
if not (eaddr and hostname): return
eaddr = util.convert_to_eaddr(eaddr)
if eaddr not in Homework.st['dnsList']:
Homework.st['dnsList'][eaddr] = set([hostname])
else:
Homework.st['dnsList'][eaddr].add(hostname)
print Homework.st
return status()
def handle_dns_response(self, dpid, inport, ofp_reason, total_frame_len, buffer_id, packet):
eaddr = util.convert_to_eaddr(packet.dst)
dnsh = packet.find('dns')
if not self.permit_ether_addr(eaddr):
print "Dropping DNS Response Packet - MAC Address not allowed"
return STOP
if not dnsh:
print "\n\n +++ +++ Invalid DNS Response packet: ", dnsh
print packet
print dir(packet)
print packet.__dict__
print "\n\n"
return CONTINUE
print "DNS Response packet:", dnsh
print "*******", dir(dnsh)
print "*******", dnsh.__dict__
for answer in dnsh.answers:
if answer.qtype in dns.rrtype_to_str:
domain = answer.name + ":" + dns.rrtype_to_str[answer.qtype]
else:
domain = answer.name + ":" + str(answer.qtype)
if domain not in Homework.st['domains']:
Homework.st['domains'][domain] = set([str(answer.rddata)])
else:
Homework.st['domains'][domain].add(str(answer.rddata))
flow = util.extract_flow(packet)
Homework.install_datapath_flow(
dpid, flow, 3, 10,
[[openflow.OFPAT_OUTPUT, [-1, openflow.OFPP_NORMAL]]],
buffer_id, openflow.OFP_DEFAULT_PRIORITY, inport, dnsh.arr
)
return CONTINUE
def permit(eaddr, ipaddr=None):
""" Permit tx/rx to/from a specified Ethernet address."""
print "PERMIT", eaddr, ipaddr
if not (eaddr or ipaddr): return
## TODO Add rule to forward dns requests
eaddr = util.convert_to_eaddr(eaddr)
pattern = { core.DL_TYPE: ethernet.ethernet.IP_TYPE,
core.DL_SRC: eaddr,
}
if not ipaddr:
old_ipaddrs = Homework.st['permitted'].get(eaddr)
Homework.st['permitted'][eaddr] = None
# for dpid in Homework.st['ports']:
## permit the forward path to this eaddr/ipaddr
# Homework.install_datapath_flow(
# dpid, pattern,
# openflow.OFP_FLOW_PERMANENT, openflow.OFP_FLOW_PERMANENT,
# Actions.really_flood,
# )
## ...and the reverse path similarly
# del pattern[core.DL_SRC]
# pattern[core.DL_DST] = eaddr
# if ipaddr:
# del pattern[core.NW_SRC]
# pattern[core.NW_DST] = ipaddr
# Homework.install_datapath_flow(
# dpid, pattern,
# openflow.OFP_FLOW_PERMANENT, openflow.OFP_FLOW_PERMANENT,
# Actions.really_flood,
# )
return status()
