def example_setup(num_clients=3, num_servers=3): ### EXAMPLE PARAMETERS # NETWORK BREAKDOWN ethernet = [2,3,4,1000] ip_core = [5,6,7,1002] gateway = [1001] # SUBNET ADDRESSING eth_prefix = '10.0.0.' ip_prefix = '10.0.1.' prefix_len = 24 eth_cidr = eth_prefix + '0/' + str(prefix_len) ip_cidr = ip_prefix + '0/' + str(prefix_len) # END HOST ADDRESSES public_ip = IP('10.0.1.100') fake_mac = MAC('BB:BB:BB:BB:BB:BB') eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \ for i in range(1,1+num_clients) } ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \ for i in range(1,1+num_servers) } host_macs = dict(eth_macs.items() + ip_macs.items()) host_macs.update({IP(public_ip) : fake_mac}) ### POLICIES FOR THIS EXAMPLE eth_pol = mac_learner() ip_pol = mac_learner() gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs) return ((switch_in(ethernet) & eth_pol) + (switch_in(gateway) & gw_pol ) + (switch_in(ip_core) & ip_pol ))
def main(): from pyretic.modules.mac_learner import mac_learner from pyretic.examples.Monitor import Monitor from pyretic.examples.firewall import firewall_policy ARPPkt = match(ethtype=ARP_TYPE) Clients = 1 Servers = 2 Device_1 = 4 Device_2 = 3 PublicIP_1 = IP("10.0.100.1") PublicIP_2 = IP("10.0.100.2") ClientIPs = [ IP("10.0.0.1"), IP("10.0.0.2"), IP("10.0.0.3"), IP("10.0.0.4") ] ServerIPs_1 = [IP("10.0.0.5"), IP("10.0.0.6")] ServerIPs_2 = [IP("10.0.0.7"), IP("10.0.0.8")] LB_1 = LoadBalancer(Device_1, ClientIPs, ServerIPs_1, PublicIP_1) LB_2 = LoadBalancer(Device_2, ClientIPs, ServerIPs_2, PublicIP_2) LB_Monitor_Policy = ((ARPPkt >> mac_learner()) + (LB_1 >> mac_learner()) + (LB_2 >> mac_learner()) + Monitor(10)) return if_(firewall_policy, drop, LB_Monitor_Policy)
def example_setup(num_clients=3, num_servers=3): ### EXAMPLE PARAMETERS # NETWORK BREAKDOWN ethernet = [2, 3, 4, 1000] ip_core = [5, 6, 7, 1002] gateway = [1001] # SUBNET ADDRESSING eth_prefix = '10.0.0.' ip_prefix = '10.0.1.' prefix_len = 24 eth_cidr = eth_prefix + '0/' + str(prefix_len) ip_cidr = ip_prefix + '0/' + str(prefix_len) # END HOST ADDRESSES public_ip = IP('10.0.1.100') fake_mac = MAC('BB:BB:BB:BB:BB:BB') eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \ for i in range(1,1+num_clients) } ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \ for i in range(1,1+num_servers) } host_macs = dict(eth_macs.items() + ip_macs.items()) host_macs.update({IP(public_ip): fake_mac}) ### POLICIES FOR THIS EXAMPLE eth_pol = mac_learner() ip_pol = virtualize(mac_learner(), merge(name=5, from_switches=ip_core)) gw_pol = gateway_forwarder(eth_cidr, ip_cidr, host_macs) return ((switch_in(ethernet) >> eth_pol) + (switch_in(gateway) >> gw_pol) + (switch_in(ip_core) >> ip_pol))
def main(): print "load balancer" # ips = [IPAddr('10.0.0.1'),IPAddr('10.0.0.2'),IPAddr('10.0.0.3')] ips = [IPAddr("10.0.0.3"), IPAddr("10.0.0.4")] # macs = [EthAddr("00:00:00:00:00:01"),EthAddr("00:00:00:00:00:02"),EthAddr("00:00:00:00:00:03")] macs = [EthAddr("00:00:00:00:00:03"), EthAddr("00:00:00:00:00:04")] ports = [10000, 11000] rrlb_on_switch = rrlb(2, ips, macs, ports) forwardARP = match(ethtype=0x0806) forwardICMP = match(ethtype=0x0800, protocol=1) return if_(forwardICMP | forwardARP, mac_learner(), rrlb_on_switch >> mac_learner())
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment policyFileContent = open(policy_file) # skip first line policyFileContent.readline() # start with a policy that doesn't match any packets not_allowed = none while True: line = policyFileContent.readline() if not line: break print line # info[1] == mac_0, info[2] == mac_1 info = line.split(',') info[2].strip('\n') # and add traffic that isn't allowed not_allowed = union([ not_allowed, match(dstmac=EthAddr(info[2])) >> match(srcmac=EthAddr(info[1])) ]) not_allowed = union([ not_allowed, match(dstmac=EthAddr(info[1])) >> match(srcmac=EthAddr(info[2])) ]) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv last week data = open(policy_file) data.readline() # start with a policy that doesn't match any packets not_allowed = none while 1: line = data.readline() if not line: break # print line id, mac_0, mac_1 = line.split(',') # and add traffic that isn't allowed not_allowed = union([ not_allowed, match(dstmac=EthAddr(mac_1)) >> match(srcmac=EthAddr(mac_0)) ]) not_allowed = union([ not_allowed, match(dstmac=EthAddr(mac_0)) >> match(srcmac=EthAddr(mac_1)) ]) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment # start with a policy that doesn't match any packets not_allowed = none allowed = none acl = [] with open(policy_file, 'rb') as f: reader = csv.DictReader(f) for row in reader: element = [MAC(row['mac_0']), MAC(row['mac_1'])] inv_element = [MAC(row['mac_1']), MAC(row['mac_0'])] acl.append(element) acl.append(inv_element) for [i, j] in acl: print[i, j] not_allowed = not_allowed | (match(srcmac=i) & match(dstmac=j) | match(srcmac=j) & match(dstmac=i)) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic #return mac_learner() return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv last week acl = [] # access control list csvFile = open(policy_file, "rb") inStream = csv.reader(csvFile, delimiter=",") for row in inStream: acl.append(row) acl.pop(0) for item in acl: item.pop(0) # print item # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed # for <each pair of MAC address in firewall-policies.csv>: for item in acl: not_allowed = ( not_allowed | match(srcmac=EthAddr(item[0]), dstmac=EthAddr(item[1])) | match(srcmac=EthAddr(item[1]), dstmac=EthAddr(item[0])) ) # express allowed traffic in terms of not_allowed - hint use '~' # allowed = none # for item in acl: # allowed = allowed + ~match(srcmac=EthAddr(item[0]),dstmac=EthAddr(item[1])) + ~match(srcmac=EthAddr(item[1]),dstmac=EthAddr(item[0])) allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic # return allowed >> act_like_switch() return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment fileOpen = open(policy_file) fileOpen.readline() # start with a policy that doesn't match any packets not_allowed = none while True: readLine = fileOpen.readline() if not readLine: break print readLine csvInfo = readLine.split(',') csvInfo[2].strip('\n') # and add traffic that isn't allowed not_allowed = union( [not_allowed, match(dstmac=EthAddr(csvInfo[2])) >> match(srcmac=EthAddr(csvInfo[1]))] ) not_allowed = union( [not_allowed, match(dstmac=EthAddr(csvInfo[1])) >> match(srcmac=EthAddr(csvInfo[2]))] ) # and add traffic that isn't allowed # for <each pair of MAC address in firewall-policies.csv>: # not_allowed = union( [ # <traffic going in one direction>, # <traffic going in the other direction> ] ) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment policyFileContent = open(policy_file) # skip first line policyFileContent.readline() # start with a policy that doesn't match any packets not_allowed = none while True: line = policyFileContent.readline() if not line: break print line # info[1] == mac_0, info[2] == mac_1 info = line.split(',') info[2].strip('\n') # and add traffic that isn't allowed not_allowed = union( [not_allowed, match(dstmac=EthAddr(info[2])) >> match(srcmac=EthAddr(info[1]))] ) not_allowed = union( [not_allowed, match(dstmac=EthAddr(info[1])) >> match(srcmac=EthAddr(info[2]))] ) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): bfs1 = [1, 2, 3] bfs2 = [1, 4] pol = if_(ARP, arp(), mac_learner()) # pol = mac_learner() return virtualize(virtualize(pol, merge(from_switches=[1, 4])), merge(from_switches=[1, 2, 3]))
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment policies = [] with open(policy_file, "r") as pf: next(pf) for line in pf: line = line.rstrip() tokens = line.split(",") mac_0 = MAC(tokens[1]) mac_1 = MAC(tokens[2]) policies.append((mac_0, mac_1)) # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed for (mac_0, mac_1) in policies: not_allowed = union([ (match(srcmac=mac_0) & match(dstmac=mac_1)) | (match(srcmac=mac_1) & match(dstmac=mac_0)) | not_allowed ]) #print not_allowed # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed #print allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment not_allowed = none with open(policy_file, 'rb') as mycsv: reader_macfilter_from_file = csv.DictReader(mycsv) for row in reader_macfilter_from_file: ssssssss not_allowed = union([ not_allowed, union([ match(srcmac=MAC(row['mac_0']), dstmac=MAC(row['mac_1'])), match(srcmac=MAC(row['mac_1']), dstmac=MAC(row['mac_0'])) ]) ]) # start with a policy that doesn't match any packets # and add traffic that isn't allowed # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed #print "not_allowed : " #print not_allowed #print "allowed :" #print allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): re = RegexpQuery( "(?P<verb>GET|POST|DELETE|PUT|HEAD)\s*(?P<path>.*?)\s*HTTP/(?P<http>.*?)\n" ) re.register_callback(print_urls) return mac_learner() + re
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment not_allowed=none with open(policy_file,'rb') as mycsv: reader_macfilter_from_file=csv.DictReader(mycsv) for row in reader_macfilter_from_file: ssssssss not_allowed = union( [not_allowed,union( [match(srcmac=MAC(row['mac_0']), dstmac=MAC(row['mac_1']) ), match(srcmac=MAC(row['mac_1']), dstmac=MAC(row['mac_0'])) ] ) ] ) # start with a policy that doesn't match any packets # and add traffic that isn't allowed # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed #print "not_allowed : " #print not_allowed #print "allowed :" #print allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(config, mode, modrepeat=None): # Open configuration file try: fd = open(config, 'r') except IOError as err: print 'IO Exception: ', err sys.exit(1) # Get mode, check validity if mode != 'auto' and mode != 'manual': print 'Wrong mode value. Exiting!' sys.exit(1) # Check test mode. repeat = 0 if modrepeat is not None: if modrepeat != 0: repeat = modrepeat # Read configuration file content = fd.read() fd.close() # Parse configuration file app_to_module_map, app_composition_str = parse_configuration_file(content, mode, repeat) if len(app_to_module_map) == 0: print 'Configuration file seems incorrect. Exiting.' sys.exit(1) # Run resonance # return resonance(app_to_module_map, app_composition_str) >> mac_learner() return resonance(app_to_module_map, app_composition_str) >> (mac_learner() + scan())
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment f = open(policy_file, 'r') # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed #for <each pair of MAC address in firewall-policies.csv>: # not_allowed = union( [ # <traffic going in one direction>, # <traffic going in the other direction> ] ) line = f.readline() print "line_1: %s" % line while 1: line = f.readline() if not line: break print "line_n: %s" % line mac1 = line[2:19] mac2 = line[20:37] not_allowed = not_allowed | match( srcmac=MAC(mac1), dstmac=MAC(mac2)) | match(srcmac=MAC(mac2), dstmac=MAC(mac1)) print "not_allowed: %s" % not_allowed f.close() # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): #logging.basicConfig(filename='log/sdnlb.log', level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%d/%m/%Y %H:%M:%S %p') logging.basicConfig(filename='log/sdnlb.log', level=logging.INFO,format='%(asctime)s %(message)s', datefmt='%d/%m/%Y %H:%M:%S %p',filemode='w') #logger = logging.getLogger('sdnlblogger') #logger = logging.getLogger(__name__) logger = logging.getLogger() logger.info("shit") printConfigInfo(logger) algoType = sdnlb_conf.algo algo = AlgoFactory.getAlgoInstance(algoType) rrlb_sdn = LoadBalancer(sdnlb_conf.switch,sdnlb_conf.sip,sdnlb_conf.smac,algo) forwardARP = match(ethtype=0x0806) forwardICMP = match(ethtype=0x0800,protocol=1) return if_(forwardICMP | forwardARP, mac_learner(), \ rrlb_sdn >>mac_learner())
def Start(self): # Handle ARP ARPPkt = match(ethtype=ARP_TYPE) # Instantiate Firewalls AccessControl = self.FW.ApplyFirewall() # Instantiate Load Balancer LB = LoadBalancer(self.LB_Device, self.ClientIPs, self.ServerIPs, self.PublicIP) self.policy = ( ( ARPPkt >> mac_learner() ) + # ARP - L2 Learning Switches ( LB >> mac_learner() >> AccessControl ) + # Load Balancer + Firewall Monitor(MonitoringInterval) # Monitoring ) return self.policy
def main(): global policy global flag flag = flag() # policy = tag() >> mac_learner() >> (flag + untag()) Don't need tagging policy = mac_learner() + flag print policy return policy
def main(): bfs1 = [1,2,3] bfs2 = [1,4] pol = if_(ARP,arp(),mac_learner()) # pol = mac_learner() return virtualize( virtualize(pol, BFS_vdef(from_switches=[1,4])), BFS_vdef(from_switches=[1,2,3]))
def main (): HOST, PORT = "localhost", 9002 my_smart_balancer = smart_balancer() server = SmartBalancerTCPServer((HOST,PORT), MyTCPHandler, my_smart_balancer) serverThread = threading.Thread(target=start_server, args=(server,)) serverThread.daemon = True serverThread.start() return my_smart_balancer >> mac_learner()
def example_setup(num_clients=3, num_servers=3): ### EXAMPLE PARAMETERS # NETWORK BREAKDOWN ethernet = [2,3,4,1000] ip_core = [5,6,7,1002] gateway = [1001] # SUBNET ADDRESSING eth_prefix = '10.0.0.' ip_prefix = '10.0.1.' prefix_len = 24 eth_cidr = eth_prefix + '0/' + str(prefix_len) ip_cidr = ip_prefix + '0/' + str(prefix_len) # END HOST ADDRESSES public_ip = IP('10.0.1.100') fake_mac = MAC('BB:BB:BB:BB:BB:BB') eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \ for i in range(1,1+num_clients) } ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \ for i in range(1,1+num_servers) } host_macs = dict(eth_macs.items() + ip_macs.items()) host_macs.update({IP(public_ip) : fake_mac}) # PARAMETERS FOR FIREWALL/LOAD BALANCER R = [IP(ip_prefix + str(i)) for i in range(2, 2+num_servers)] H = {IP(eth_prefix + str(i)) : 0 for i in range(2,2+num_clients)} W = {(c,public_ip) for c in H.keys()} ### POLICIES FOR THIS EXAMPLE eth_pol = mac_learner() alb = dynamic(lb)(public_ip,R,H) >> fix_dstmac(ip_macs) afw = if_(ARP,passthrough,dynamic(fw)(W)) ip_pol = if_(match(srcip=eth_cidr), afw >> alb, alb >> afw) >> mac_learner() ip_pol = virtualize(ip_pol,BFS_vdef(name=5,from_switches=ip_core)) gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs) return ((switch_in(ethernet) & eth_pol) + (switch_in(gateway) & gw_pol ) + (switch_in(ip_core) & ip_pol ))
def example_setup(num_clients=3, num_servers=3): ### EXAMPLE PARAMETERS # NETWORK BREAKDOWN ethernet = [2,3,4,1000] ip_core = [5,6,7,1002] gateway = [1001] # SUBNET ADDRESSING eth_prefix = '10.0.0.' ip_prefix = '10.0.1.' prefix_len = 24 eth_cidr = eth_prefix + '0/' + str(prefix_len) ip_cidr = ip_prefix + '0/' + str(prefix_len) # END HOST ADDRESSES public_ip = IP('10.0.1.100') fake_mac = MAC('BB:BB:BB:BB:BB:BB') eth_macs = { IP(eth_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i)) \ for i in range(1,1+num_clients) } ip_macs = { IP(ip_prefix+str(i+1)) : MAC('00:00:00:00:00:0'+str(i+num_clients)) \ for i in range(1,1+num_servers) } host_macs = dict(eth_macs.items() + ip_macs.items()) host_macs.update({IP(public_ip) : fake_mac}) # PARAMETERS FOR FIREWALL/LOAD BALANCER R = [IP(ip_prefix + str(i)) for i in range(2, 2+num_servers)] H = {IP(eth_prefix + str(i)) : 0 for i in range(2,2+num_clients)} W = {(c,public_ip) for c in H.keys()} ### POLICIES FOR THIS EXAMPLE eth_pol = mac_learner() alb = dynamic(lb)(public_ip,R,H) >> fix_dstmac(ip_macs) afw = if_(ARP,passthrough,dynamic(fw)(W)) ip_pol = if_(match(srcip=eth_cidr), afw >> alb, alb >> afw) >> mac_learner() ip_pol = virtualize(ip_pol,BFS_vdef(name=5,from_switches=ip_core)) gw_pol = gateway_forwarder(eth_cidr,ip_cidr,host_macs) return (switch_in(ethernet)[ eth_pol ] + switch_in(gateway)[ gw_pol ] + switch_in(ip_core)[ ip_pol ])
def main(clients, servers): from pyretic.modules.mac_learner import mac_learner clients = int(clients) servers = int(servers) ip_prefix = "10.0.0." public_ip = IP(ip_prefix + "100") print("public ip address is %s." % public_ip) client_ips = [IP(ip_prefix+str(i)) for i in range(1, clients+1)] server_ips = [IP(ip_prefix+str(i)) for i in range(1+clients, clients+servers+1)] return rrlb(client_ips, server_ips, public_ip) >> mac_learner()
def main(Clients, Servers): from pyretic.modules.mac_learner import mac_learner Clients = int(Clients) Servers = int(Servers) Device = 4 IP_Prefix = "10.0.0." PublicIP = IP(IP_Prefix + "100") print("Public ip address is %s." % PublicIP) ClientIPs = [IP(IP_Prefix+str(i)) for i in range(1, Clients+1)] ServerIPs = [IP(IP_Prefix+str(i)) for i in range(1+Clients, Clients+Servers+1)] return LoadBalancer(Device, ClientIPs, ServerIPs, PublicIP) >> mac_learner()
def main(): from pyretic.modules.mac_learner import mac_learner from pyretic.examples.Monitor import Monitor from pyretic.examples.firewall import firewall_policy ARPPkt = match(ethtype=ARP_TYPE) Clients = 1 Servers = 2 Device_1 = 4 Device_2 = 3 PublicIP_1 = IP("10.0.100.1") PublicIP_2 = IP("10.0.100.2") ClientIPs = [IP("10.0.0.1"), IP("10.0.0.2"), IP("10.0.0.3"), IP("10.0.0.4")] ServerIPs_1 = [IP("10.0.0.5"), IP("10.0.0.6")] ServerIPs_2 = [IP("10.0.0.7"), IP("10.0.0.8")] LB_1 = LoadBalancer(Device_1, ClientIPs, ServerIPs_1, PublicIP_1) LB_2 = LoadBalancer(Device_2, ClientIPs, ServerIPs_2, PublicIP_2) LB_Monitor_Policy = ( (ARPPkt >> mac_learner()) + ( LB_1 >> mac_learner()) + ( LB_2 >> mac_learner()) + Monitor(10) ) return if_(firewall_policy, drop, LB_Monitor_Policy)
def ApplyFirewall(self): # Set rules to devices ac1 = self.ConfigureFW1() ac2 = self.ConfigureFW2() # Update block object if self.Blocked: self.Blocked = self.Blocked | ac1 | ac2 else: self.Blocked = ac1 | ac2 # The packets tha match Block object are dropped. The rest are forwarded. self.Allowed = if_(self.Blocked, drop, mac_learner()) # Update policy object return self.UpdatePolicy()
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed with open(policy_file, 'rb') as f: reader = csv.DictReader(f) for row in reader: not_allowed = not_allowed + match(srcmac=MAC(row['mac_0']), dstmac=MAC(row['mac_1'])) + match(srcmac=MAC(row['mac_1']), dstmac=MAC(row['mac_0'])) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv last week # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed for rule in rules_lst: rule_parts = rule.split(",") not_allowed = not_allowed | \ match(srcmac=MAC(rule_parts[1]),dstmac=MAC(rule_parts[2])) | \ match(srcmac=MAC(rule_parts[2]),dstmac=MAC(rule_parts[1]))) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(clients, servers): from pyretic.modules.mac_learner import mac_learner num_clients = int(clients) num_servers = int(servers) print "clients %d" % num_clients print "servers %d" % num_servers # CALCULATE IPS ip_prefix = '10.0.0.' public_ip = IP(ip_prefix + str(100)) print "public_ip = %s" % public_ip client_ips = [IP(ip_prefix + str(i)) for i in range(1, 1+num_clients)] H = {c : 0 for c in client_ips} R = [IP(ip_prefix + str(i)) for i in range(1+num_clients, 1+num_clients+num_servers)] return static_lb(public_ip,R,H) >> mac_learner() ## TEST ABOVE WORKS
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed with open(policy_file, 'rb') as f: reader = csv.DictReader(f) for row in reader: not_allowed = not_allowed + match( srcmac=MAC(row['mac_0']), dstmac=MAC(row['mac_1'])) + match( srcmac=MAC(row['mac_1']), dstmac=MAC(row['mac_0'])) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment firewall_entries = [] with open(policy_file) as f: next(f) csv_entries = csv.reader(f, delimiter=',') for row in csv_entries: firewall_entries.append(row[1:]) # and add traffic that isn't allowed not_allowed = union( [match(srcmac=MAC(pair[0]), dstmac=MAC(pair[1])) for pair in firewall_entries] + [match(srcmac=MAC(pair[1]), dstmac=MAC(pair[0])) for pair in firewall_entries] ) print not_allowed # express all wed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv last week def readPolicies(file) : macSet = Set() with open(file,'rb') as csvfile : fields = csv.DictReader(csvfile) for row in fields: macSet.add( (row['mac_0'], row['mac_1']) ) return macSet # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed for src, dst in readPolicies(policy_file): not_allowed = not_allowed + \ ( match(dstmac=MAC(dst)) >> match(srcmac = MAC(src)) ) +\ ( match(dstmac=MAC(src)) >> match(srcmac = MAC(dst) )) allowed = ~ not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment blockList=[] with open(policy_file) as f: next(f) reader = csv.reader(f, delimiter=',') for row in reader: blockList.append(row[1:]) # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed not_allowed = union([match(srcmac = MAC (pair[0]),dstmac = MAC(pair[1])) | match(srcmac = MAC (pair[1]),dstmac = MAC(pair[0])) for pair in blockList]) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~ not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv last week data = open(policy_file) data.readline() # start with a policy that doesn't match any packets not_allowed = none while 1: line = data.readline() if not line: break # print line id, mac_0, mac_1 = line.split(',') # and add traffic that isn't allowed not_allowed = union( [not_allowed, match(dstmac=EthAddr(mac_1)) >> match(srcmac=EthAddr(mac_0))] ) not_allowed = union( [not_allowed, match(dstmac=EthAddr(mac_0)) >> match(srcmac=EthAddr(mac_1))] ) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): rules = [] f = open(policy_file) try: reader = csv.reader(f) for row in islice(reader, 1, None): rules.append({'src':row[1], 'dst':row[2]}); finally: f.close() # start with a policy that doesn't match any packets not_allowed = none for rule in rules: not_allowed = not_allowed | match(srcmac=MAC(rule['src']), dstmac=MAC(rule['dst'])) not_allowed = not_allowed | match(srcmac=MAC(rule['dst']), dstmac=MAC(rule['src'])) allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def __init__(self): super(metrics,self).__init__() # Probing attributes self.network = None self.topology = None self.logger = None self.timer = None self.lock = threading.Lock() self.ipToSwitch = {} self.seqCounter = 0 # rather than use sequence number, we use alternating black/white # packets, where this is the packet 'protocol' self.switchToPort = None # Policies, callbacks, etc self.newIpQuery = packets(1,['srcip']) self.newIpQuery.register_callback(self.registerIp) self.query = packets() self.query.register_callback(self.registerProbe) self.ipRules = None self.directRoute = None self.macLearn = mac_learner() self.policy = drop self.floodPolicy = flood() self.dropPolicy = drop self.metricsPolicy = None self.reRoutingPolicy = None self.inverseRoutingPolicy = None self.test2q = packets() self.test3q = packets() self.test4q = packets() self.test4q.register_callback(self.test2) self.test3q.register_callback(self.test) self.test5q = packets() self.test5q.register_callback(self.test3) self.test2q.register_callback(self.test) self.rulesSelfCheck = {}
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment fileOpen = open(policy_file) fileOpen.readline() # start with a policy that doesn't match any packets not_allowed = none while True: readLine = fileOpen.readline() if not readLine: break print readLine csvInfo = readLine.split(',') csvInfo[2].strip('\n') # and add traffic that isn't allowed not_allowed = union([ not_allowed, match(dstmac=EthAddr(csvInfo[2])) >> match(srcmac=EthAddr(csvInfo[1])) ]) not_allowed = union([ not_allowed, match(dstmac=EthAddr(csvInfo[1])) >> match(srcmac=EthAddr(csvInfo[2])) ]) # and add traffic that isn't allowed # for <each pair of MAC address in firewall-policies.csv>: # not_allowed = union( [ # <traffic going in one direction>, # <traffic going in the other direction> ] ) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): #intiailisation of the policies not_allowed = none # Useful Pyretic policies # match(f=v): filters only those packets whose header field f's value matches v # ~A: negates a match # A & B: logical intersection of matches A and B # A | B: logical union of matches A and B # fwd(a): forward packet out port a # flood(): send all packets to all ports on a network minimum spanning tree, except for the input port # A >> B: A's output becomes B's input # A + B: A's output and B's output are combined # if_(M,A,B): if packet filtered by M, then use A, otherwise use B #start with a policy that does not match any packet #and add traffic that is not allowed #for each pair two rules ifile = open(policy_file, "rb") reader = csv.reader(ifile) rownum = 0 for row in reader: # Save header row. if rownum != 0: rule1 = match(srcmac=MAC(row[1])) & match(dstmac=MAC(row[2])) rule2 = match(srcmac=MAC(row[2])) & match(dstmac=MAC(row[1])) not_allowed = not_allowed | rule1 | rule2 rownum += 1 ifile.close() #express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed #and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment blockList = [] with open(policy_file) as f: next(f) reader = csv.reader(f, delimiter=',') for row in reader: blockList.append(row[1:]) # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed not_allowed = union([ match(srcmac=MAC(pair[0]), dstmac=MAC(pair[1])) | match(srcmac=MAC(pair[1]), dstmac=MAC(pair[0])) for pair in blockList ]) # express allowed traffic in terms of not_allowed - hint use '~' allowed = ~not_allowed # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def allow_MAC(self,mac_var): tup_mac=(mac_var) flag=1 print "Allowing MAC:",mac_var self.policy=if_(match(srcmac=EthAddr(mac_var)),mac_learner(),if_(match(dstmac=EthAddr(mac_var)),mac_learner(),self.policy)) """result=checkAddress(1,mac_var)
def staticFilterTcp(): return if_(match(ethtype=packet.IPV4, protocol=packet.TCP_PROTO),genDynRules(),mac_learner())
from pyretic.lib.corelib import * from pyretic.lib.std import * from pyretic.modules.mac_learner import mac_learner import os # insert the name of the module and policy you want to import from pyretic.examples.<....> import <....> policy_file = "%s/pyretic/pyretic/examples/firewall-policies.csv" % os.environ[ 'HOME' ] def main(): # Copy the code you used to read firewall-policies.csv from the Pox Firewall assignment # start with a policy that doesn't match any packets not_allowed = none # and add traffic that isn't allowed for <each pair of MAC address in firewall-policies.csv>: not_allowed = union( [ <traffic going in one direction>, <traffic going in the other direction> ] ) # express allowed traffic in terms of not_allowed - hint use '~' allowed = <...> # and only send allowed traffic to the mac learning (act_like_switch) logic return allowed >> mac_learner()
def main(): return pyretic_gardenwall() >> mac_learner()
def main(): # return (packet_counts() + # byte_counts() + # mac_learner()) return (proactive_counts() + mac_learner())
def main(): from pyretic.modules.mac_learner import mac_learner return soft_cap_enforcer() >> mac_learner()
def arp_and_mac_learn(): """Handle ARPs and do MAC learning""" return if_(ARP, arp(), mac_learner())
print "******************************************************************" mac_var=raw_input("Enter MAC you want to block : ") self.block_MAC(mac_var) elif ch==5: exit() else: print "******************************************************************" print "Invalid choice" except ValueError: print "Invalid User Input" def allow_IP(self,ip_var): #tup_ip=(ip_var) flag=0 print "Allowing ip :",ip_var self.policy=if_(match(srcip=IPAddr(ip_var)),mac_learner(),self.policy)>>if_(match(dstip=IPAddr(ip_var)),mac_learner(),self.policy) """result=checkAddress(0,ip_var) if result=="present": print "IP %s is already allowed"%ip_var else: UIFirewall.ips.append(ip_var) self.policy=if_(match(srcip=IPAddr(ip_var)),mac_learner,self.policy)>>if_(match(dstip=IPAddr(ip_var)),mac_learner,self.policy) """ """ try: index=UIFirewall.ips.index(ip_var) print "IP %s is already allowed"%ip_var except: UIFirewall.ips.append(ip_var)
def setup(num_internet_hosts=253, num_dmz_servers=1, num_internal_hosts=2): #----------------- #Network breakdown (virtual components) internal_net_edge = [1000] gateway = [1001] blackhole_checker_redirector = [1002] firewall = [1003] internet_edge = [1004] #----------------- #IP subnets internal_prefix = '10.1.1.' internet_prefix = '10.1.2.' prefix_len = 24 internal_cidr = internal_prefix + '0/' + str(prefix_len) internet_cidr = internet_prefix + '0/' + str(prefix_len) #----------------- #End hosts and servers internal_ip_to_macs = { IP(internal_prefix + str(i + 1)): MAC('00:00:00:00:00:0' + str(i)) for i in range(1, 1 + num_internal_hosts + num_dmz_servers) } internet_ip_to_macs = { IP(internet_prefix + str(i + 1)): MAC('00:00:00:00:00:04') for i in range(1, 1 + num_internet_hosts) } host_ip_to_macs = dict(internal_ip_to_macs.items() + internet_ip_to_macs.items()) #----------------- #params for blackhole checker/redirector #threshold rate of packets belonging to the same (srcip,dstip,dstport) flow (careful: TCP protocol!) #if this rate is surpassed, we conider this a possible DoS and redirect #the flow to the blackhole host for further examination threshold_rate = 5 #packets per sec (you can tune it if needed) blackhole_port_dict = { 'untrusted': 2, 'trusted': 1, 'blackhole': 3 } #see exercise setup (figure 2) ips_and_tcp_ports_to_protect = [("10.1.1.4", 80)] #protect apache server #----------------- #params for firewall firewall_port_dict = { 'untrusted': 2, 'trusted': 1 } #see exercise setup (ports of firewall, figure 2) whitelist = set([]) for i in internal_ip_to_macs.keys(): for j in internet_ip_to_macs.keys(): internal_ip = str(i) internet_ip = str(j) #here we check if the internal_ip is the server #and if this is the server we make by-directional connection #else we make one direction connection if internal_ip != '10.1.1.4': whitelist.add((internal_ip, internet_ip)) else: whitelist.add((internal_ip, internet_ip)) whitelist.add((internet_ip, internal_ip)) #ATTENTION: Build whitelist!!! (see how firewall expects it) print "Firewall whitelist" print whitelist #----------------- #policies #ATTENTION: internal network edge policy??? #ATTENTION: gateway policy??? #ATTENTION: black-hole host policy?? #ATTENTION: firewall policy???-->ATTENTION: besides the IP whitelist, the firewall policy should let ARP packets reach the gateway! (hint: use 'if_') #ATTENTION: internet edge policy??? #initial test policies for firewall and blackhole #blackhole_pol= blackhole_pol = BlackholeCheckerRedirector(threshold_rate, blackhole_port_dict, ips_and_tcp_ports_to_protect) # proo8ei to paketo firewall_pol = ( if_(ARP, passthrough, fw(whitelist)) >> dumb_forwarder(1, 2)) #idio level eth_pol = mac_learner() ip_pol = mac_learner() gw_pol = gateway_forwarder(internal_cidr, internet_cidr, host_ip_to_macs) return ((switch_in(blackhole_checker_redirector) >> blackhole_pol) + (switch_in(firewall) >> firewall_pol) + (switch_in(internal_net_edge) >> eth_pol) + (switch_in(gateway) >> gw_pol) + (switch_in(internet_edge) >> ip_pol))
def main(): return (packet_counts() + packet_sizes() + mac_learner())
def __init__(self): super(UIFirewall,self).__init__(true) self.policy=mac_learner() ob=Thread(target=self.UI_Loop) ob.start()
class UIFirewall(DynamicPolicy): ips=[] macs=[] flag=0 def __init__(self): super(UIFirewall,self).__init__(true) self.policy=mac_learner() ob=Thread(target=self.UI_Loop) ob.start() def UI_Loop(self): print "\t\t\t Starting Controller...." print "*********************WELCOME TO UI CONTROLLER*********************" while True: #get argument print "\nUSER CHOICE:\n-->1.Allow IP\n-->2.Block IP\n-->3.Allow MAC\n-->4.Block MAC\n-->5.Exit" print "\n******************************************************************" self.accept_user_choice() def accept_user_choice(self): try: ch=int(raw_input("Please enter your choice --> ")) print "\n" if ch==1: print "******************************************************************" ip_var=raw_input("Enter IP address you want to allow : ") match = re.search(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$', ip_var) if match: self.allow_IP(ip_var) else: print "invalid IP" elif ch==2: print "******************************************************************" ip_var=raw_input("Enter IP address you want to block : ") match = re.search(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$', ip_var) if match: self.block_IP(ip_var) else: print "invalid IP" elif ch==3: print "******************************************************************" mac_var=raw_input("Enter MAC you want to allow : ") if re.match(r"([\dA-F]{2}(?:[:][\dA-F]{2}){5})",mac_var): self.allow_MAC(mac_var) else: print "Invalid MAC" elif ch==4: print "******************************************************************" mac_var=raw_input("Enter MAC you want to block : ") if re.match(r"([\dA-F]{2}(?:[:][\dA-F]{2}){5})",mac_var): self.block_MAC(mac_var) else: print "Invalid MAC" elif ch==5: exit() else: print "******************************************************************" print "Invalid choice" except ValueError: print "Invalid User Input" def allow_IP(self,ip_var): #tup_ip=(ip_var) flag=0 print "Allowing ip :",ip_var #self.policy=if_(~match(srcip=IPAddr(ip_var)),drop,mac_learner)>>if_(~match(dstip=IPAddr(ip_var)),drop,mac_learner) self.policy=if_(match(srcip=IPAddr(ip_var)),mac_learner(),if_(match(dstip=IPAddr(ip_var)),mac_learner(),self.policy)) print self.policy """result=checkAddress(0,ip_var) if result=="present": print "IP %s is already allowed"%ip_var else: UIFirewall.ips.append(ip_var) self.policy=if_(match(srcip=IPAddr(ip_var)),mac_learner,self.policy)>>if_(match(dstip=IPAddr(ip_var)),mac_learner,self.policy) """ """try:
def setup(num_internet_hosts=253, num_dmz_servers=1, num_internal_hosts=2): #----------------- #Network breakdown (the virtual components in Pyretic) internal_net_edge = [1000] gateway = [1001] flow_monitor_blackhole_redirector = [1002] firewall = [1003] internet_edge = [1004] #----------------- #IP subnets internal_prefix = '10.1.1.' internet_prefix = '10.1.2.' prefix_len = 24 internal_cidr = internal_prefix + '0/' + str(prefix_len) internet_cidr = internet_prefix + '0/' + str(prefix_len) #----------------- #End hosts and servers internal_ip_to_macs = { IP(internal_prefix + str(i)): MAC('00:00:00:00:00:0' + str(i)) for i in range(1, 1 + num_internal_hosts + num_dmz_servers) } internet_ip_to_macs = { IP(internet_prefix + str(i)): MAC('00:00:00:00:00:04') for i in range(1, 1 + num_internet_hosts) } host_ip_to_macs = dict(internal_ip_to_macs.items() + internet_ip_to_macs.items()) print "Third Arguement:" + str(host_ip_to_macs) #----------------- #Parameters for flow monitor and blackhole redirector. #Threshold rate of packets belonging to the same (srcip,dstip,dstport) flow. #If this rate is surpassed, the flow is suspected to be a DoS attack; then redirect flow to the blackhole host. threshold_rate = 5 #packets per sec (you can change this if you want to check) blackhole_port_dict = { 'untrusted': 2, 'trusted': 1, 'blackhole': 3 } #see Figure 2 in the project description ips_and_tcp_ports_to_protect = [("10.1.1.3", 80) ] #protect the Apache server #----------------- #Parameters for the stateful firewall firewall_port_dict = { 'untrusted': 2, 'trusted': 1 } #see Figure 2 in project description whitelist = set([]) for i in internal_ip_to_macs.keys(): for j in internet_ip_to_macs.keys(): internal_ip = str(i) internet_ip = str(j) if (internal_ip == '10.1.1.3'): whitelist.add((internal_ip, internet_ip)) whitelist.add((internet_ip, internal_ip)) else: whitelist.add((internal_ip, internet_ip)) ### write your code ###: Build whitelist of IP addresses (see how firewall expects it) print "Firewall whitelist:" print whitelist #----------------- #Define policies ### write your code ###: internal network edge policy? internal_network_edge_policy = mac_learner() ### write your code ###: gateway policy? gateway_policy = gateway_forwarder(internal_cidr, internet_cidr, host_ip_to_macs) ### write your code ###: blackhole host policy? blackhole_policy = FlowMonitorBlackholeRedirector( threshold_rate, blackhole_port_dict, ips_and_tcp_ports_to_protect) ### write your code ###: firewall policy? Note that besides the IP addresses in the firewall whitelist, the firewall policy should let ARP packets reach the gateway (hint: use 'if_') ### write your code ###: internet edge policy??? internet_edge_policy = mac_learner() #Commands to do initial test of policies for firewall and blackhole firewall_policy = if_(ARP, passthrough, fw(whitelist)) >> dumb_forwarder( firewall_port_dict['trusted'], firewall_port_dict['untrusted']) #----------------- ### write your code ###: return ? --> Combine the policies! (Hint: check gateway_3switch_example_basic.py in the ~/pyretic/pyretic/examples directory) return ( (switch_in(internal_net_edge) >> internal_network_edge_policy) + (switch_in(gateway) >> gateway_policy) + (switch_in(flow_monitor_blackhole_redirector) >> blackhole_policy) + (switch_in(firewall) >> firewall_policy) + (switch_in(internet_edge) >> internet_edge_policy))
def main(): return (packet_counts() + byte_counts() + mac_learner())
def main(**kwargs): return test_setup(test_mains, mac_learner(), **kwargs)