etri.sdn.controller.module.firewall

Class OFMFirewall

java.lang.Object

etri.sdn.controller.OFModule

etri.sdn.controller.module.firewall.OFMFirewall

All Implemented Interfaces:

IService, IFirewallService

public class OFMFirewall
extends OFModule
implements IFirewallService

This class implements the firewall module.

Modified the original Firewall class of Floodlight.

Author:

jshin

Field Summary

Fields

Modifier and Type	Field and Description
private java.lang.String	collectionName
static java.lang.String	COLUMN_ACTION
static java.lang.String	COLUMN_DL_DST
static java.lang.String	COLUMN_DL_SRC
static java.lang.String	COLUMN_DL_TYPE
static java.lang.String	COLUMN_DPID
static java.lang.String	COLUMN_IN_PORT
static java.lang.String	COLUMN_NW_DST_MASKBITS
static java.lang.String	COLUMN_NW_DST_PREFIX
static java.lang.String	COLUMN_NW_PROTO
static java.lang.String	COLUMN_NW_SRC_MASKBITS
static java.lang.String	COLUMN_NW_SRC_PREFIX
static java.lang.String	COLUMN_PRIORITY
static java.lang.String	COLUMN_RULEID
static java.lang.String	COLUMN_TP_DST
static java.lang.String	COLUMN_TP_SRC
static java.lang.String	COLUMN_WILDCARD_DL_DST
static java.lang.String	COLUMN_WILDCARD_DL_SRC
static java.lang.String	COLUMN_WILDCARD_DL_TYPE
static java.lang.String	COLUMN_WILDCARD_DPID
static java.lang.String	COLUMN_WILDCARD_IN_PORT
static java.lang.String	COLUMN_WILDCARD_NW_DST
static java.lang.String	COLUMN_WILDCARD_NW_PROTO
static java.lang.String	COLUMN_WILDCARD_NW_SRC
static java.lang.String	COLUMN_WILDCARD_TP_DST
static java.lang.String	COLUMN_WILDCARD_TP_SRC
static java.lang.String[]	ColumnNames
private java.lang.String	dbName
protected boolean	enabled
private FirewallStorage	firewallStorage
private OFProtocol	protocol
protected java.util.List<FirewallRule>	rules
private OFMStorageManager	storageInstance
protected int	subnet_mask
static java.lang.String	TABLE_NAME

Fields inherited from class etri.sdn.controller.OFModule

controller

Constructor Summary

Constructors

Constructor and Description
OFMFirewall()

Method Summary

Methods

Modifier and Type	Method and Description
void	addRule(FirewallRule rule) Adds a new firewall rule into the memory storage and the persistent database.
void	clearRules() Delete all the rules from the memory storage and the persistent database.
void	deleteRule(int ruleid) Deletes the firewall rule using the ruleid from the memory storage and the persistent database.
void	enableFirewall(boolean enabled) Enables/disables the firewall.
java.lang.String	getCollectionName()
java.lang.String	getDbName()
protected int	getInputPort(org.openflow.protocol.interfaces.OFPacketIn pi)
OFModel[]	getModels() returns the array of all OFModel objects associated with this module.
java.util.List<FirewallRule>	getRules() Returns all firewall rules.
OFMStorageManager	getStorageInstance()
java.util.List<java.util.Map<java.lang.String,java.lang.Object>>	getStorageRules() Returns all firewall rules of the persistent database.
java.lang.String	getSubnetMask() Returns the subnet mask.
protected boolean	handleDisconnect(Connection conn) Process the disconnection event from a switch.
protected boolean	handleHandshakedEvent(Connection conn, MessageContext context) An abstract method that all subclasses should implement.
protected boolean	handleMessage(Connection conn, MessageContext context, org.openflow.protocol.OFMessage msg, java.util.List<org.openflow.protocol.OFMessage> outgoing) Handle incoming messages that pass the test of filters.
protected void	initialize() Initializes this module.
protected boolean	IPIsBroadcast(int IPAddress) Checks whether an IP address is a broadcast address or not.
boolean	isEnabled() Returns operational status of the firewall.
protected RuleWildcardsPair	matchWithRule(IOFSwitch sw, org.openflow.protocol.interfaces.OFPacketIn pi, MessageContext cntx) Iterates over the firewall rules and tries to match them with the incoming packet (flow).
private boolean	processPacketInMessage(IOFSwitch sw, org.openflow.protocol.interfaces.OFPacketIn pi, IRoutingDecision decision, MessageContext cntx) Checks the incoming packet with the firewall policy and create a decision to handle the packet.
protected java.util.ArrayList<FirewallRule>	readRulesFromStorage() Reads the rules from the persistent database and creates a sorted array list of FirewallRule.
void	setSubnetMask(java.lang.String newMask) Sets the subnet mask

Methods inherited from class etri.sdn.controller.OFModule

getController, getModule, init, processDisconnect, processHandshakeFinished, processMessage, registerFilter, registerModule

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

firewallStorage

private FirewallStorage firewallStorage

storageInstance

private OFMStorageManager storageInstance

dbName

private java.lang.String dbName

collectionName

private java.lang.String collectionName

rules

protected java.util.List<FirewallRule> rules

enabled

protected boolean enabled

subnet_mask

protected int subnet_mask

protocol

private OFProtocol protocol

TABLE_NAME

public static final java.lang.String TABLE_NAME

See Also:

Constant Field Values

COLUMN_RULEID

public static final java.lang.String COLUMN_RULEID

See Also:

Constant Field Values

COLUMN_DPID

public static final java.lang.String COLUMN_DPID

See Also:

Constant Field Values

COLUMN_IN_PORT

public static final java.lang.String COLUMN_IN_PORT

See Also:

Constant Field Values

COLUMN_DL_SRC

public static final java.lang.String COLUMN_DL_SRC

See Also:

Constant Field Values

COLUMN_DL_DST

public static final java.lang.String COLUMN_DL_DST

See Also:

Constant Field Values

COLUMN_DL_TYPE

public static final java.lang.String COLUMN_DL_TYPE

See Also:

Constant Field Values

COLUMN_NW_SRC_PREFIX

public static final java.lang.String COLUMN_NW_SRC_PREFIX

See Also:

Constant Field Values

COLUMN_NW_SRC_MASKBITS

public static final java.lang.String COLUMN_NW_SRC_MASKBITS

See Also:

Constant Field Values

COLUMN_NW_DST_PREFIX

public static final java.lang.String COLUMN_NW_DST_PREFIX

See Also:

Constant Field Values

COLUMN_NW_DST_MASKBITS

public static final java.lang.String COLUMN_NW_DST_MASKBITS

See Also:

Constant Field Values

COLUMN_NW_PROTO

public static final java.lang.String COLUMN_NW_PROTO

See Also:

Constant Field Values

COLUMN_TP_SRC

public static final java.lang.String COLUMN_TP_SRC

See Also:

Constant Field Values

COLUMN_TP_DST

public static final java.lang.String COLUMN_TP_DST

See Also:

Constant Field Values

COLUMN_WILDCARD_DPID

public static final java.lang.String COLUMN_WILDCARD_DPID

See Also:

Constant Field Values

COLUMN_WILDCARD_IN_PORT

public static final java.lang.String COLUMN_WILDCARD_IN_PORT

See Also:

Constant Field Values

COLUMN_WILDCARD_DL_SRC

public static final java.lang.String COLUMN_WILDCARD_DL_SRC

See Also:

Constant Field Values

COLUMN_WILDCARD_DL_DST

public static final java.lang.String COLUMN_WILDCARD_DL_DST

See Also:

Constant Field Values

COLUMN_WILDCARD_DL_TYPE

public static final java.lang.String COLUMN_WILDCARD_DL_TYPE

See Also:

Constant Field Values

COLUMN_WILDCARD_NW_SRC

public static final java.lang.String COLUMN_WILDCARD_NW_SRC

See Also:

Constant Field Values

COLUMN_WILDCARD_NW_DST

public static final java.lang.String COLUMN_WILDCARD_NW_DST

See Also:

Constant Field Values

COLUMN_WILDCARD_NW_PROTO

public static final java.lang.String COLUMN_WILDCARD_NW_PROTO

See Also:

Constant Field Values

COLUMN_WILDCARD_TP_SRC

public static final java.lang.String COLUMN_WILDCARD_TP_SRC

See Also:

Constant Field Values

COLUMN_WILDCARD_TP_DST

public static final java.lang.String COLUMN_WILDCARD_TP_DST

See Also:

Constant Field Values

COLUMN_PRIORITY

public static final java.lang.String COLUMN_PRIORITY

See Also:

Constant Field Values

COLUMN_ACTION

public static final java.lang.String COLUMN_ACTION

See Also:

Constant Field Values

ColumnNames

public static java.lang.String[] ColumnNames

Constructor Detail

OFMFirewall

public OFMFirewall()

Method Detail

getStorageInstance

public OFMStorageManager getStorageInstance()

getDbName

public java.lang.String getDbName()

getCollectionName

public java.lang.String getCollectionName()

getInputPort

protected int getInputPort(org.openflow.protocol.interfaces.OFPacketIn pi)

processPacketInMessage

private boolean processPacketInMessage(IOFSwitch sw,
                             org.openflow.protocol.interfaces.OFPacketIn pi,
                             IRoutingDecision decision,
                             MessageContext cntx)

Checks the incoming packet with the firewall policy and create a decision to handle the packet.

Parameters:

sw - the switch instance

pi - packetin

decision - the routing decision

cntx - the MessageContext

Returns:

true when normally terminated

matchWithRule

protected RuleWildcardsPair matchWithRule(IOFSwitch sw,
                              org.openflow.protocol.interfaces.OFPacketIn pi,
                              MessageContext cntx)

Iterates over the firewall rules and tries to match them with the incoming packet (flow). Uses the FirewallRule class's matchWithFlow method to perform matching. It maintains a pair of wildcards (allow and deny) which are assigned later to the firewall's decision, where 'allow' wildcards are applied if the matched rule turns out to be an ALLOW rule and 'deny' wildcards are applied otherwise. Wildcards are applied to firewall decision to optimize flows in the switch, ensuring least number of flows per firewall rule. So, if a particular field is not "ANY" (i.e. not wildcarded) in a higher priority rule, then if a lower priority rule matches the packet and wildcards it, it can't be wildcarded in the switch's flow entry, because otherwise some packets matching the higher priority rule might escape the firewall. The reason for keeping different two different wildcards is that if a field is not wildcarded in a higher priority allow rule, the same field shouldn't be wildcarded for packets matching the lower priority deny rule (non-wildcarded fields in higher priority rules override the wildcarding of those fields in lower priority rules of the opposite type). So, to ensure that wildcards are appropriately set for different types of rules (allow vs. deny), separate wildcards are maintained. Iteration is performed on the sorted list of rules (sorted in decreasing order of priority).

Parameters:

sw - the switch instance

pi - packetin

cntx - the MessageContext

Returns:

an instance of RuleWildcardsPair that specify rule that matches and the wildcards for the firewall decision

IPIsBroadcast

protected boolean IPIsBroadcast(int IPAddress)

Checks whether an IP address is a broadcast address or not.

Parameters:

IPAddress - the IP address to check

Returns:

true if it is a broadcast address, false otherwise

readRulesFromStorage

protected java.util.ArrayList<FirewallRule> readRulesFromStorage()

Reads the rules from the persistent database and creates a sorted array list of FirewallRule. Similar to getStorageRules(), which only reads contents for REST GET and does no parsing, checking, nor putting into FirewallRule objects.

Returns:

the sorted array list of FirewallRule instances (rules from the database)

initialize

protected void initialize()

Initializes this module. As this module processes all PACKET_IN messages, it registers filter to receive those messages.

Specified by:

initialize in class OFModule

handleHandshakedEvent

protected boolean handleHandshakedEvent(Connection conn,
                            MessageContext context)

Description copied from class: OFModule

An abstract method that all subclasses should implement. This method is called after FEATURE-REQUEST and FEATURE-REPLY is correct exchanged, by OFModule.processHandshakeFinished(Connection, MessageContext). Normally, most of modules have very simple implementation for this method, only returning true.

Specified by:

handleHandshakedEvent in class OFModule

Parameters:

conn - connection that the event has occurred

context - message context for the handshaking messages

Returns:

true is returned when the event has been correctly processed. false otherwise.

handleMessage

protected boolean handleMessage(Connection conn,
                    MessageContext context,
                    org.openflow.protocol.OFMessage msg,
                    java.util.List<org.openflow.protocol.OFMessage> outgoing)

Description copied from class: OFModule

Handle incoming messages that pass the test of filters. All subclasses of OFModule must implement this method. This method is called by OFModule.processMessage(Connection, MessageContext, OFMessage, List).

Specified by:

handleMessage in class OFModule

Parameters:

conn - connection that the message has arrived

context - message context for the message

msg - the actual message object

outgoing - responses for the message arrived, which is filled by the handleMessage implementation

Returns:

true if the message has been correctly processed. false otherwise.

handleDisconnect

protected boolean handleDisconnect(Connection conn)

Description copied from class: OFModule

Process the disconnection event from a switch. This callback method is called by OFModule.processDisconnect(Connection). All subclasses of OFModule should implement this method.

Specified by:

handleDisconnect in class OFModule

Parameters:

conn - connection that the event has occurred

Returns:

true if the event has been correctly processed. false otherwise.

getModels

public OFModel[] getModels()

Description copied from class: OFModule

returns the array of all OFModel objects associated with this module. Normally the size of the array is one, but not limited to.

Specified by:

getModels in class OFModule

Returns:

the array of OFModel objects

enableFirewall

public void enableFirewall(boolean enabled)

Description copied from interface: IFirewallService

Enables/disables the firewall.

Specified by:

enableFirewall in interface IFirewallService

Parameters:

enabled - true when enabled, false when disabled

isEnabled

public boolean isEnabled()

Description copied from interface: IFirewallService

Returns operational status of the firewall.

Specified by:

isEnabled in interface IFirewallService

Returns:

true when enabled, false when disabled

getRules

public java.util.List<FirewallRule> getRules()

Description copied from interface: IFirewallService

Returns all firewall rules.

Specified by:

getRules in interface IFirewallService

Returns:

a list of all firewall rules

getSubnetMask

public java.lang.String getSubnetMask()

Description copied from interface: IFirewallService

Returns the subnet mask.

Specified by:

getSubnetMask in interface IFirewallService

Returns:

the subnet mask

setSubnetMask

public void setSubnetMask(java.lang.String newMask)

Description copied from interface: IFirewallService

Sets the subnet mask

Specified by:

setSubnetMask in interface IFirewallService

Parameters:

newMask - The new subnet mask

getStorageRules

public java.util.List<java.util.Map<java.lang.String,java.lang.Object>> getStorageRules()

Description copied from interface: IFirewallService

Returns all firewall rules of the persistent database.

Specified by:

getStorageRules in interface IFirewallService

Returns:

a list of all firewall rules

addRule

public void addRule(FirewallRule rule)

Description copied from interface: IFirewallService

Adds a new firewall rule into the memory storage and the persistent database.

Specified by:

addRule in interface IFirewallService

Parameters:

rule - a new firewall rule

deleteRule

public void deleteRule(int ruleid)

Description copied from interface: IFirewallService

Deletes the firewall rule using the ruleid from the memory storage and the persistent database.

Specified by:

deleteRule in interface IFirewallService

Parameters:

ruleid - the ruleid of firewall rule to delete

clearRules

public void clearRules()

Description copied from interface: IFirewallService

Delete all the rules from the memory storage and the persistent database.

Specified by:

clearRules in interface IFirewallService