| 102 | '''To get you started, you can download an incomplete version of `firewall.rb` from [http://www.gpolab.bbn.com/experiment-support/OpenFlowExampleExperiment/firewall.rb Here], as well as a sample fw.conf [http://www.gpolab.bbn.com/experiment-support/OpenFlowExampleExperiment/fw.conf Here] ''' [[BR]] |
| 103 | '''Question 1. fill up the blanks in function `switch_ready` to insert rules into the openflow switch that allow ICMP and ARP packets to go through''' [[BR]] |
| 104 | '''Question 2. fill up the blanks in function `packet_in` to insert a flow match in the OpenFlow device that allows the packets (as well as those in the reverse path) that match rules in the fw.conf to pass''' [[BR]] |
| 105 | '''Question 3. fill up the blanks in function `packet_in` to insert rules that drops all other packets that does not match the rules specified in fw.conf''' [[BR]] |
| 106 | To verify your implementation, run the following on the switch: |
| 107 | {{{ |
| 108 | /opt/trema-trema-8e97343/trema run 'firewall.rb fw.conf' |
| 109 | }}} |
| 110 | Then try to ping from left to right. Ping should go through since you allowed ICMP packets and ARP packets to pass. [[BR]] |
| 111 | If you are using the fw.conf we provided, try to run a TCP session from left to right using iperf using port 5001, 5002, 5003. |
| 112 | Since in the fw.conf file we provided, we specifically allow TCP to go through port 5001 and 5002, but not port 5003, you should be able to see that iperf gives back throughput results for port 5001 and 5002 but not 5003. |
| 113 | |
| 114 | Try play with the code as well as the fw.conf file to setup more rules, then verify your setting via iperf or telnet. [[BR]] |
| 115 | You can check the flow table on the OpenFlow Switch via: |
| 116 | {{{ |
| 117 | sudo /opt/openvswitch-1.6.1-F15/bin/ovs-ofctl dump-flows tcp:127.0.0.1:6634 |
| 118 | }}} |
| 119 | A sample output should be something like the following: |
| 120 | {{{ |
| 121 | NXST_FLOW reply (xid=0x4): |
| 122 | cookie=0x1, duration=165.561s, table=0, n_packets=6, n_bytes=360, idle_age=17,priority=65535,arp actions=NORMAL |
| 123 | cookie=0xa, duration=43.24s, table=0, n_packets=3, n_bytes=222, idle_timeout=300,idle_age=22,priority=65535,tcp,in_port=1,vlan_tci=0x0000,dl_src=00:02:b3:65:d1:2b,dl_dst=00:03:47:94:c7:fd,nw_src=10.10.10.1,nw_dst=10.10.11.1,nw_tos=0,tp_src=46361,tp_dst=5003 actions=drop |
| 124 | cookie=0x5, duration=147.156s, table=0, n_packets=18289, n_bytes=27682198, idle_timeout=300,idle_age=137,priority=65535,tcp,in_port=1,vlan_tci=0x0000,dl_src=00:02:b3:65:d1:2b,dl_dst=00:03:47:94:c7:fd,nw_src=10.10.10.1,nw_dst=10.10.11.1,nw_tos=0,tp_src=33385,tp_dst=5001 actions=NORMAL |
| 125 | cookie=0x9, duration=105.294s, table=0, n_packets=4, n_bytes=296, idle_timeout=300,idle_age=60,priority=65535,tcp,in_port=1,vlan_tci=0x0000,dl_src=00:02:b3:65:d1:2b,dl_dst=00:03:47:94:c7:fd,nw_src=10.10.10.1,nw_dst=10.10.11.1,nw_tos=0,tp_src=46360,tp_dst=5003 actions=drop |
| 126 | cookie=0x7, duration=124.764s, table=0, n_packets=17902, n_bytes=27095256, idle_timeout=300,idle_age=114,priority=65535,tcp,in_port=1,vlan_tci=0x0000,dl_src=00:02:b3:65:d1:2b,dl_dst=00:03:47:94:c7:fd,nw_src=10.10.10.1,nw_dst=10.10.11.1,nw_tos=0,tp_src=57908,tp_dst=5002 actions=NORMAL |
| 127 | cookie=0x3, duration=165.561s, table=0, n_packets=1, n_bytes=74, idle_timeout=300,idle_age=124,priority=65535,tcp,nw_src=10.10.10.0/24,nw_dst=10.10.11.0/24,tp_dst=5002 actions=CONTROLLER:65535 |
| 128 | cookie=0x4, duration=165.561s, table=0, n_packets=1, n_bytes=74, idle_timeout=300,idle_age=147,priority=65535,tcp,nw_src=10.10.10.0/24,nw_dst=10.10.11.0/24,tp_dst=5001 actions=CONTROLLER:65535 |
| 129 | cookie=0x2, duration=165.561s, table=0, n_packets=0, n_bytes=0, idle_age=165,priority=65535,icmp actions=NORMAL |
| 130 | cookie=0x6, duration=147.156s, table=0, n_packets=9387, n_bytes=624254, idle_timeout=300,idle_age=137,priority=65535,tcp,nw_src=10.10.11.1,nw_dst=10.10.10.1,tp_src=5001,tp_dst=33385 actions=NORMAL |
| 131 | cookie=0x8, duration=124.764s, table=0, n_packets=9257, n_bytes=617666, idle_timeout=300,idle_age=114,priority=65535,tcp,nw_src=10.10.11.1,nw_dst=10.10.10.1,tp_src=5002,tp_dst=57908 actions=NORMAL |
| 132 | }}} |
| 133 | |
| 134 | |