forked from gonzopancho/CapFlow
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CapFlow.py
251 lines (218 loc) · 8.31 KB
/
CapFlow.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# Python
import collections
# Ryu - OpenFlow
from ryu.base import app_manager
from ryu.controller.handler import CONFIG_DISPATCHER
from ryu.controller.handler import MAIN_DISPATCHER
from ryu.controller.handler import HANDSHAKE_DISPATCHER
from ryu.controller.handler import set_ev_cls
from ryu.controller import ofp_event
from ryu.lib.packet import ethernet, ipv4, tcp, udp
from ryu.lib.packet import packet
from ryu.ofproto import ether
from ryu.ofproto import ofproto_v1_3
# Ryu - REST API
from ryu.app.wsgi import WSGIApplication
from ryu.controller import dpset
# Us
import config
import util
from rest import UserController
class Proto(object):
ETHER_IP = 0x800
ETHER_ARP = 0x806
IP_UDP = 17
IP_TCP = 6
TCP_HTTP = 80
UDP_DNS = 53
class CapFlow(app_manager.RyuApp):
OFP_VERSIONS = [ofproto_v1_3.OFP_VERSION]
_CONTEXTS = {
'dpset': dpset.DPSet,
'wsgi': WSGIApplication
}
def __init__(self, *args, **kwargs):
super(CapFlow, self).__init__(*args, **kwargs)
self.mac_to_port = collections.defaultdict(dict)
self.authenticate = collections.defaultdict(dict)
wsgi = kwargs['wsgi']
wsgi.registory['UserController'] = self.authenticate
UserController.register(wsgi)
@set_ev_cls(ofp_event.EventOFPSwitchFeatures, CONFIG_DISPATCHER)
def switch_features_handler(self, ev):
datapath = ev.msg.datapath
ofproto = datapath.ofproto
parser = datapath.ofproto_parser
print "Clear rule table"
util.delete_flow(datapath, parser.OFPMatch())
# Send everything to ctrl
print "Install sending to controller rule"
util.add_flow(datapath,
parser.OFPMatch(),
[parser.OFPActionOutput(ofproto.OFPP_CONTROLLER)],
priority=2,
)
# So we don't need to learn auth server location
# TODO: this assumes we are controlling only a single switch!
port = config.AUTH_SERVER_PORT
self.mac_to_port[datapath.id][config.AUTH_SERVER_MAC] = port
@set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)
def _packet_in_handler(self, ev):
msg = ev.msg
datapath = msg.datapath
ofproto = datapath.ofproto
parser = datapath.ofproto_parser
in_port = msg.match['in_port']
pkt = packet.Packet(msg.data)
eth = pkt.get_protocols(ethernet.ethernet)[0]
nw_dst = eth.dst
nw_src = eth.src
dpid = datapath.id
self.logger.info("packet in %s %s %s %s",
dpid, nw_src, nw_dst, in_port)
if nw_src not in self.mac_to_port[dpid]:
print "New client: dpid", dpid, "mac", nw_src, "port", in_port
self.mac_to_port[dpid][nw_src] = in_port
print "Installing *->%s forwarding rule" % nw_src
# This enables all traffic addressed to the client to go there
# FIXME: do we really want to enable this on unauthenticated hosts?
util.add_flow(datapath,
parser.OFPMatch(
eth_dst=nw_src,
),
[parser.OFPActionOutput(in_port), ],
priority=10,
msg=msg,
)
# pass ARP through, defaults to flooding if destination unknown
if eth.ethertype == Proto.ETHER_ARP:
print "ARP"
port = self.mac_to_port[dpid].get(nw_dst, ofproto.OFPP_FLOOD)
out = parser.OFPPacketOut(
datapath=datapath,
buffer_id=msg.buffer_id,
in_port=in_port,
actions=[parser.OFPActionOutput(port)],
data=msg.data,
)
datapath.send_msg(out)
return
# Non-ARP traffic to unknown destination is dropped
if nw_dst not in self.mac_to_port[dpid]:
print "Unknown destination!",
return
# We know destination
out_port = self.mac_to_port[dpid][nw_dst]
# Helper functions (note: access variables from outer scope)
def install_l2_src_dst(nw_src, nw_dst, out_port):
util.add_flow(datapath,
parser.OFPMatch(
eth_src=nw_src,
eth_dst=nw_dst,
),
[parser.OFPActionOutput(out_port), ],
priority=100,
msg=msg,
)
def install_dns_fwd(nw_src, nw_dst, out_port):
util.add_flow(datapath,
parser.OFPMatch(
eth_src=nw_src,
eth_dst=nw_dst,
eth_type=Proto.ETHER_IP,
ip_proto=Proto.IP_UDP,
udp_dst=Proto.UDP_DNS,
),
[parser.OFPActionOutput(out_port)],
priority=100,
msg=msg,
)
def install_http_nat(nw_src, nw_dst, ip_src, ip_dst, tcp_src, tcp_dst):
# TODO: we do not change port right now so it might collide with
# other connections from the host. This is unlikely though
# Reverse rule goes first
util.add_flow(datapath,
parser.OFPMatch(
in_port=config.AUTH_SERVER_PORT,
eth_src=config.AUTH_SERVER_MAC,
eth_dst=nw_src,
eth_type=Proto.ETHER_IP,
ip_proto=Proto.IP_TCP,
ipv4_src=config.AUTH_SERVER_IP,
ipv4_dst=ip_src,
tcp_dst=tcp_src,
tcp_src=tcp_dst,
),
[parser.OFPActionSetField(ipv4_src=ip_dst),
parser.OFPActionSetField(eth_src=nw_dst),
parser.OFPActionOutput(in_port)
],
priority=1000,
)
# Forward rule
util.add_flow(datapath,
parser.OFPMatch(
in_port=in_port,
eth_src=nw_src,
eth_dst=nw_dst,
eth_type=Proto.ETHER_IP,
ip_proto=Proto.IP_TCP,
ipv4_src=ip_src,
ipv4_dst=ip_dst,
tcp_dst=tcp_dst,
tcp_src=tcp_src,
),
[parser.OFPActionSetField(ipv4_dst=config.AUTH_SERVER_IP),
parser.OFPActionSetField(eth_dst=config.AUTH_SERVER_MAC),
parser.OFPActionOutput(config.AUTH_SERVER_PORT)
],
priority=1000,
msg=msg,
)
def drop_unknown_ip(nw_src, nw_dst, ip_proto):
util.add_flow(datapath,
parser.OFPMatch(
eth_src=nw_src,
eth_dst=nw_dst,
eth_type=Proto.ETHER_IP,
ip_proto=ip_proto,
),
[],
priority=10,
msg=msg,
)
if eth.ethertype != Proto.ETHER_IP:
print "not handling non-ip traffic"
return
ip = pkt.get_protocols(ipv4.ipv4)[0]
# Logic itself
is_authenticated = False
if self.authenticate[ip.src] == True:
is_authenticated = True
# If the client is authenticated, install L2 MAC-MAC rule
if is_authenticated:
print "authenticated"
print "Installing", nw_src, "to", nw_dst, "bypass"
install_l2_src_dst(nw_src, nw_dst, out_port)
return
# Client is not authenticated
if ip.proto == 1:
print "ICMP, ignore"
return
if ip.proto == Proto.IP_UDP:
_udp = pkt.get_protocols(udp.udp)[0]
if _udp.dst_port == Proto.UDP_DNS:
print "Install DNS bypass"
install_dns_fwd(nw_src, nw_dst, out_port)
else:
print "Unknown UDP proto, ignore"
return
elif ip.proto == Proto.IP_TCP:
_tcp = pkt.get_protocols(tcp.tcp)[0]
if _tcp.dst_port == Proto.TCP_HTTP:
print "Is HTTP traffic, installing NAT entry"
install_http_nat(nw_src, nw_dst, ip.src, ip.dst,
_tcp.src_port, _tcp.dst_port)
else:
print "Unknown IP proto, dropping"
drop_unknown_ip(nw_src, nw_dst, ip.proto)