package net.floodlightcontroller.firewall; import java.util.Collection; import java.util.Collections; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; import org.openflow.protocol.OFMessage; import org.openflow.protocol.OFPacketIn; import org.openflow.protocol.OFType; import net.floodlightcontroller.core.FloodlightContext; import net.floodlightcontroller.core.IOFMessageListener; import net.floodlightcontroller.core.IOFSwitch; import net.floodlightcontroller.core.module.FloodlightModuleContext; import net.floodlightcontroller.core.module.FloodlightModuleException; import net.floodlightcontroller.core.module.IFloodlightModule; import net.floodlightcontroller.core.module.IFloodlightService; import net.floodlightcontroller.core.IFloodlightProviderService; import net.floodlightcontroller.devicemanager.IDeviceService; import java.util.ArrayList; import net.floodlightcontroller.packet.Ethernet; import net.floodlightcontroller.packet.IPv4; import net.floodlightcontroller.restserver.IRestApiService; import net.floodlightcontroller.routing.IRoutingDecision; import net.floodlightcontroller.routing.RoutingDecision; import net.floodlightcontroller.storage.IResultSet; import net.floodlightcontroller.storage.IStorageSourceService; import net.floodlightcontroller.storage.StorageException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** * Stateless firewall implemented as a Google Summer of Code project. * Configuration done through REST API * * @author Amer Tahir * @edited KC Wang */ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlightModule { // service modules needed protected IFloodlightProviderService floodlightProvider; protected IStorageSourceService storageSource; protected IRestApiService restApi; protected static Logger logger; protected List<FirewallRule> rules; // protected by synchronized protected boolean enabled; protected int subnet_mask = IPv4.toIPv4Address("255.255.255.0"); // constant strings for storage/parsing public static final String TABLE_NAME = "controller_firewallrules"; public static final String COLUMN_RULEID = "ruleid"; public static final String COLUMN_DPID = "dpid"; public static final String COLUMN_IN_PORT = "in_port"; public static final String COLUMN_DL_SRC = "dl_src"; public static final String COLUMN_DL_DST = "dl_dst"; public static final String COLUMN_DL_TYPE = "dl_type"; public static final String COLUMN_NW_SRC_PREFIX = "nw_src_prefix"; public static final String COLUMN_NW_SRC_MASKBITS = "nw_src_maskbits"; public static final String COLUMN_NW_DST_PREFIX = "nw_dst_prefix"; public static final String COLUMN_NW_DST_MASKBITS = "nw_dst_maskbits"; public static final String COLUMN_NW_PROTO = "nw_proto"; public static final String COLUMN_TP_SRC = "tp_src"; public static final String COLUMN_TP_DST = "tp_dst"; public static final String COLUMN_WILDCARD_DPID = "wildcard_dpid"; public static final String COLUMN_WILDCARD_IN_PORT = "wildcard_in_port"; public static final String COLUMN_WILDCARD_DL_SRC = "wildcard_dl_src"; public static final String COLUMN_WILDCARD_DL_DST = "wildcard_dl_dst"; public static final String COLUMN_WILDCARD_DL_TYPE = "wildcard_dl_type"; public static final String COLUMN_WILDCARD_NW_SRC = "wildcard_nw_src"; public static final String COLUMN_WILDCARD_NW_DST = "wildcard_nw_dst"; public static final String COLUMN_WILDCARD_NW_PROTO = "wildcard_nw_proto"; public static final String COLUMN_WILDCARD_TP_SRC = "wildcard_tp_src"; public static final String COLUMN_WILDCARD_TP_DST = "wildcard_tp_dst"; public static final String COLUMN_PRIORITY = "priority"; public static final String COLUMN_ACTION = "action"; public static String ColumnNames[] = { COLUMN_RULEID, COLUMN_DPID, COLUMN_IN_PORT, COLUMN_DL_SRC, COLUMN_DL_DST, COLUMN_DL_TYPE, COLUMN_NW_SRC_PREFIX, COLUMN_NW_SRC_MASKBITS, COLUMN_NW_DST_PREFIX, COLUMN_NW_DST_MASKBITS, COLUMN_NW_PROTO, COLUMN_TP_SRC, COLUMN_TP_DST, COLUMN_WILDCARD_DPID, COLUMN_WILDCARD_IN_PORT, COLUMN_WILDCARD_DL_SRC, COLUMN_WILDCARD_DL_DST, COLUMN_WILDCARD_DL_TYPE, COLUMN_WILDCARD_NW_SRC, COLUMN_WILDCARD_NW_DST, COLUMN_WILDCARD_NW_PROTO, COLUMN_PRIORITY, COLUMN_ACTION }; @Override public String getName() { return "firewall"; } @Override public boolean isCallbackOrderingPrereq(OFType type, String name) { // no prereq return false; } @Override public boolean isCallbackOrderingPostreq(OFType type, String name) { return (type.equals(OFType.PACKET_IN) && name.equals("forwarding")); } @Override public Collection<Class<? extends IFloodlightService>> getModuleServices() { Collection<Class<? extends IFloodlightService>> l = new ArrayList<Class<? extends IFloodlightService>>(); l.add(IFirewallService.class); return l; } @Override public Map<Class<? extends IFloodlightService>, IFloodlightService> getServiceImpls() { Map<Class<? extends IFloodlightService>, IFloodlightService> m = new HashMap<Class<? extends IFloodlightService>, IFloodlightService>(); // We are the class that implements the service m.put(IFirewallService.class, this); return m; } @Override public Collection<Class<? extends IFloodlightService>> getModuleDependencies() { Collection<Class<? extends IFloodlightService>> l = new ArrayList<Class<? extends IFloodlightService>>(); l.add(IFloodlightProviderService.class); l.add(IStorageSourceService.class); l.add(IRestApiService.class); return l; } /** * Reads the rules from the storage and creates a sorted arraylist of * FirewallRule from them. * * Similar to getStorageRules(), which only reads contents for REST GET and * does no parsing, checking, nor putting into FirewallRule objects * * @return the sorted arraylist of FirewallRule instances (rules from * storage) */ protected ArrayList<FirewallRule> readRulesFromStorage() { ArrayList<FirewallRule> l = new ArrayList<FirewallRule>(); try { Map<String, Object> row; // (..., null, null) for no predicate, no ordering IResultSet resultSet = storageSource.executeQuery(TABLE_NAME, ColumnNames, null, null); // put retrieved rows into FirewallRules for (Iterator<IResultSet> it = resultSet.iterator(); it.hasNext();) { row = it.next().getRow(); // now, parse row FirewallRule r = new FirewallRule(); if (!row.containsKey(COLUMN_RULEID) || !row.containsKey(COLUMN_DPID)) { logger.error( "skipping entry with missing required 'ruleid' or 'switchid' entry: {}", row); return l; } try { r.ruleid = Integer .parseInt((String) row.get(COLUMN_RULEID)); r.dpid = Long.parseLong((String) row.get(COLUMN_DPID)); for (String key : row.keySet()) { if (row.get(key) == null) continue; if (key.equals(COLUMN_RULEID) || key.equals(COLUMN_DPID) || key.equals("id")) { continue; // already handled } else if (key.equals(COLUMN_IN_PORT)) { r.in_port = Short.parseShort((String) row .get(COLUMN_IN_PORT)); } else if (key.equals(COLUMN_DL_SRC)) { r.dl_src = Long.parseLong((String) row .get(COLUMN_DL_SRC)); } else if (key.equals(COLUMN_DL_DST)) { r.dl_dst = Long.parseLong((String) row .get(COLUMN_DL_DST)); } else if (key.equals(COLUMN_DL_TYPE)) { r.dl_type = Short.parseShort((String) row .get(COLUMN_DL_TYPE)); } else if (key.equals(COLUMN_NW_SRC_PREFIX)) { r.nw_src_prefix = Integer.parseInt((String) row .get(COLUMN_NW_SRC_PREFIX)); } else if (key.equals(COLUMN_NW_SRC_MASKBITS)) { r.nw_src_maskbits = Integer.parseInt((String) row .get(COLUMN_NW_SRC_MASKBITS)); } else if (key.equals(COLUMN_NW_DST_PREFIX)) { r.nw_dst_prefix = Integer.parseInt((String) row .get(COLUMN_NW_DST_PREFIX)); } else if (key.equals(COLUMN_NW_DST_MASKBITS)) { r.nw_dst_maskbits = Integer.parseInt((String) row .get(COLUMN_NW_DST_MASKBITS)); } else if (key.equals(COLUMN_NW_PROTO)) { r.nw_proto = Short.parseShort((String) row .get(COLUMN_NW_PROTO)); } else if (key.equals(COLUMN_TP_SRC)) { r.tp_src = Short.parseShort((String) row .get(COLUMN_TP_SRC)); } else if (key.equals(COLUMN_TP_DST)) { r.tp_dst = Short.parseShort((String) row .get(COLUMN_TP_DST)); } else if (key.equals(COLUMN_WILDCARD_DPID)) { r.wildcard_dpid = Boolean.parseBoolean((String) row .get(COLUMN_WILDCARD_DPID)); } else if (key.equals(COLUMN_WILDCARD_IN_PORT)) { r.wildcard_in_port = Boolean .parseBoolean((String) row .get(COLUMN_WILDCARD_IN_PORT)); } else if (key.equals(COLUMN_WILDCARD_DL_SRC)) { r.wildcard_dl_src = Boolean .parseBoolean((String) row .get(COLUMN_WILDCARD_DL_SRC)); } else if (key.equals(COLUMN_WILDCARD_DL_DST)) { r.wildcard_dl_dst = Boolean .parseBoolean((String) row .get(COLUMN_WILDCARD_DL_DST)); } else if (key.equals(COLUMN_WILDCARD_DL_TYPE)) { r.wildcard_dl_type = Boolean .parseBoolean((String) row .get(COLUMN_WILDCARD_DL_TYPE)); } else if (key.equals(COLUMN_WILDCARD_NW_SRC)) { r.wildcard_nw_src = Boolean .parseBoolean((String) row .get(COLUMN_WILDCARD_NW_SRC)); } else if (key.equals(COLUMN_WILDCARD_NW_DST)) { r.wildcard_nw_dst = Boolean .parseBoolean((String) row .get(COLUMN_WILDCARD_NW_DST)); } else if (key.equals(COLUMN_WILDCARD_NW_PROTO)) { r.wildcard_nw_proto = Boolean .parseBoolean((String) row .get(COLUMN_WILDCARD_NW_PROTO)); } else if (key.equals(COLUMN_PRIORITY)) { r.priority = Integer.parseInt((String) row .get(COLUMN_PRIORITY)); } else if (key.equals(COLUMN_ACTION)) { int tmp = Integer.parseInt((String) row.get(COLUMN_ACTION)); if (tmp == FirewallRule.FirewallAction.DENY.ordinal()) r.action = FirewallRule.FirewallAction.DENY; else if (tmp == FirewallRule.FirewallAction.ALLOW.ordinal()) r.action = FirewallRule.FirewallAction.ALLOW; else { r.action = null; logger.error("action not recognized"); } } } } catch (ClassCastException e) { logger.error( "skipping rule {} with bad data : " + e.getMessage(), r.ruleid); } if (r.action != null) l.add(r); } } catch (StorageException e) { logger.error("failed to access storage: {}", e.getMessage()); // if the table doesn't exist, then wait to populate later via // setStorageSource() } // now, sort the list based on priorities Collections.sort(l); return l; } @Override public void init(FloodlightModuleContext context) throws FloodlightModuleException { floodlightProvider = context .getServiceImpl(IFloodlightProviderService.class); storageSource = context.getServiceImpl(IStorageSourceService.class); restApi = context.getServiceImpl(IRestApiService.class); rules = new ArrayList<FirewallRule>(); logger = LoggerFactory.getLogger(Firewall.class); // start disabled enabled = false; } @Override public void startUp(FloodlightModuleContext context) { // register REST interface restApi.addRestletRoutable(new FirewallWebRoutable()); // always place firewall in pipeline at bootup floodlightProvider.addOFMessageListener(OFType.PACKET_IN, this); // storage, create table and read rules storageSource.createTable(TABLE_NAME, null); storageSource.setTablePrimaryKeyName(TABLE_NAME, COLUMN_RULEID); synchronized (rules) { this.rules = readRulesFromStorage(); } } @Override public Command receive(IOFSwitch sw, OFMessage msg, FloodlightContext cntx) { if (!this.enabled) return Command.CONTINUE; switch (msg.getType()) { case PACKET_IN: IRoutingDecision decision = null; if (cntx != null) { decision = IRoutingDecision.rtStore.get(cntx, IRoutingDecision.CONTEXT_DECISION); return this.processPacketInMessage(sw, (OFPacketIn) msg, decision, cntx); } break; default: break; } return Command.CONTINUE; } @Override public void enableFirewall(boolean enabled) { logger.info("Setting firewall to {}", enabled); this.enabled = enabled; } @Override public List<FirewallRule> getRules() { return this.rules; } // Only used to serve REST GET // Similar to readRulesFromStorage(), which actually checks and stores // record into FirewallRule list @Override public List<Map<String, Object>> getStorageRules() { ArrayList<Map<String, Object>> l = new ArrayList<Map<String, Object>>(); try { // null1=no predicate, null2=no ordering IResultSet resultSet = storageSource.executeQuery(TABLE_NAME, ColumnNames, null, null); for (Iterator<IResultSet> it = resultSet.iterator(); it.hasNext();) { l.add(it.next().getRow()); } } catch (StorageException e) { logger.error("failed to access storage: {}", e.getMessage()); // if the table doesn't exist, then wait to populate later via // setStorageSource() } return l; } @Override public String getSubnetMask() { return IPv4.fromIPv4Address(this.subnet_mask); } @Override public void setSubnetMask(String newMask) { if (newMask.trim().isEmpty()) return; this.subnet_mask = IPv4.toIPv4Address(newMask.trim()); } @Override public synchronized void addRule(FirewallRule rule) { // generate random ruleid for each newly created rule // may want to return to caller if useful // may want to check conflict rule.ruleid = rule.genID(); int i = 0; // locate the position of the new rule in the sorted arraylist for (i = 0; i < this.rules.size(); i++) { if (this.rules.get(i).priority >= rule.priority) break; } // now, add rule to the list if (i <= this.rules.size()) { this.rules.add(i, rule); } else { this.rules.add(rule); } // add rule to database Map<String, Object> entry = new HashMap<String, Object>(); entry.put(COLUMN_RULEID, Integer.toString(rule.ruleid)); entry.put(COLUMN_DPID, Long.toString(rule.dpid)); entry.put(COLUMN_IN_PORT, Short.toString(rule.in_port)); entry.put(COLUMN_DL_SRC, Long.toString(rule.dl_src)); entry.put(COLUMN_DL_DST, Long.toString(rule.dl_dst)); entry.put(COLUMN_DL_TYPE, Short.toString(rule.dl_type)); entry.put(COLUMN_NW_SRC_PREFIX, Integer.toString(rule.nw_src_prefix)); entry.put(COLUMN_NW_SRC_MASKBITS, Integer.toString(rule.nw_src_maskbits)); entry.put(COLUMN_NW_DST_PREFIX, Integer.toString(rule.nw_dst_prefix)); entry.put(COLUMN_NW_DST_MASKBITS, Integer.toString(rule.nw_dst_maskbits)); entry.put(COLUMN_NW_PROTO, Short.toString(rule.nw_proto)); entry.put(COLUMN_TP_SRC, Integer.toString(rule.tp_src)); entry.put(COLUMN_TP_DST, Integer.toString(rule.tp_dst)); entry.put(COLUMN_WILDCARD_DPID, Boolean.toString(rule.wildcard_dpid)); entry.put(COLUMN_WILDCARD_IN_PORT, Boolean.toString(rule.wildcard_in_port)); entry.put(COLUMN_WILDCARD_DL_SRC, Boolean.toString(rule.wildcard_dl_src)); entry.put(COLUMN_WILDCARD_DL_DST, Boolean.toString(rule.wildcard_dl_dst)); entry.put(COLUMN_WILDCARD_DL_TYPE, Boolean.toString(rule.wildcard_dl_type)); entry.put(COLUMN_WILDCARD_NW_SRC, Boolean.toString(rule.wildcard_nw_src)); entry.put(COLUMN_WILDCARD_NW_DST, Boolean.toString(rule.wildcard_nw_dst)); entry.put(COLUMN_WILDCARD_NW_PROTO, Boolean.toString(rule.wildcard_nw_proto)); entry.put(COLUMN_WILDCARD_TP_SRC, Boolean.toString(rule.wildcard_tp_src)); entry.put(COLUMN_WILDCARD_TP_DST, Boolean.toString(rule.wildcard_tp_dst)); entry.put(COLUMN_PRIORITY, Integer.toString(rule.priority)); entry.put(COLUMN_ACTION, Integer.toString(rule.action.ordinal())); storageSource.insertRow(TABLE_NAME, entry); } @Override public synchronized void deleteRule(int ruleid) { Iterator<FirewallRule> iter = this.rules.iterator(); while (iter.hasNext()) { FirewallRule r = iter.next(); if (r.ruleid == ruleid) { // found the rule, now remove it iter.remove(); break; } } // delete from database storageSource.deleteRow(TABLE_NAME, Integer.toString(ruleid)); } /** * Iterates over the firewall rules and tries to match them with the * incoming packet (flow). Uses the FirewallRule class's matchWithFlow * method to perform matching. It maintains a pair of wildcards (allow and * deny) which are assigned later to the firewall's decision, where 'allow' * wildcards are applied if the matched rule turns out to be an ALLOW rule * and 'deny' wildcards are applied otherwise. Wildcards are applied to * firewall decision to optimize flows in the switch, ensuring least number * of flows per firewall rule. So, if a particular field is not "ANY" (i.e. * not wildcarded) in a higher priority rule, then if a lower priority rule * matches the packet and wildcards it, it can't be wildcarded in the * switch's flow entry, because otherwise some packets matching the higher * priority rule might escape the firewall. The reason for keeping different * two different wildcards is that if a field is not wildcarded in a higher * priority allow rule, the same field shouldn't be wildcarded for packets * matching the lower priority deny rule (non-wildcarded fields in higher * priority rules override the wildcarding of those fields in lower priority * rules of the opposite type). So, to ensure that wildcards are * appropriately set for different types of rules (allow vs. deny), separate * wildcards are maintained. Iteration is performed on the sorted list of * rules (sorted in decreasing order of priority). * * @param sw * the switch instance * @param pi * the incoming packet data structure * @param cntx * the floodlight context * @return an instance of RuleWildcardsPair that specify rule that matches * and the wildcards for the firewall decision */ protected RuleWildcardsPair matchWithRule(IOFSwitch sw, OFPacketIn pi, FloodlightContext cntx) { FirewallRule matched_rule = null; Ethernet eth = IFloodlightProviderService.bcStore.get(cntx, IFloodlightProviderService.CONTEXT_PI_PAYLOAD); WildcardsPair wildcards = new WildcardsPair(); synchronized (rules) { Iterator<FirewallRule> iter = this.rules.iterator(); FirewallRule rule = null; // iterate through list to find a matching firewall rule while (iter.hasNext()) { // get next rule from list rule = iter.next(); // check if rule matches if (rule.matchesFlow(sw.getId(), pi.getInPort(), eth, wildcards) == true) { matched_rule = rule; break; } } } // make a pair of rule and wildcards, then return it RuleWildcardsPair ret = new RuleWildcardsPair(); ret.rule = matched_rule; if (matched_rule == null || matched_rule.action == FirewallRule.FirewallAction.DENY) { ret.wildcards = wildcards.drop; } else { ret.wildcards = wildcards.allow; } return ret; } /** * Checks whether an IP address is a broadcast address or not (determines * using subnet mask) * * @param IPAddress * the IP address to check * @return true if it is a broadcast address, false otherwise */ protected boolean IPIsBroadcast(int IPAddress) { // inverted subnet mask int inv_subnet_mask = ~this.subnet_mask; return ((IPAddress & inv_subnet_mask) == inv_subnet_mask); } public Command processPacketInMessage(IOFSwitch sw, OFPacketIn pi, IRoutingDecision decision, FloodlightContext cntx) { Ethernet eth = IFloodlightProviderService.bcStore.get(cntx, IFloodlightProviderService.CONTEXT_PI_PAYLOAD); // Allowing L2 broadcast + ARP broadcast request (also deny malformed // broadcasts -> L2 broadcast + L3 unicast) if (eth.isBroadcast() == true) { boolean allowBroadcast = true; // the case to determine if we have L2 broadcast + L3 unicast // don't allow this broadcast packet if such is the case (malformed // packet) if (eth.getEtherType() == Ethernet.TYPE_IPv4 && this.IPIsBroadcast(((IPv4) eth.getPayload()) .getDestinationAddress()) == false) { allowBroadcast = false; } if (allowBroadcast == true) { if (logger.isTraceEnabled()) logger.trace("Allowing broadcast traffic for PacketIn={}", pi); decision = new RoutingDecision(sw.getId(), pi.getInPort() , IDeviceService.fcStore. get(cntx, IDeviceService.CONTEXT_SRC_DEVICE), IRoutingDecision.RoutingAction.MULTICAST); decision.addToContext(cntx); } else { if (logger.isTraceEnabled()) logger.trace( "Blocking malformed broadcast traffic for PacketIn={}", pi); decision = new RoutingDecision(sw.getId(), pi.getInPort() , IDeviceService.fcStore. get(cntx, IDeviceService.CONTEXT_SRC_DEVICE), IRoutingDecision.RoutingAction.DROP); decision.addToContext(cntx); } return Command.CONTINUE; } /* * ARP response (unicast) can be let through without filtering through * rules by uncommenting the code below */ /* * else if (eth.getEtherType() == Ethernet.TYPE_ARP) { * logger.info("allowing ARP traffic"); decision = new * FirewallDecision(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD); * decision.addToContext(cntx); return Command.CONTINUE; } */ // check if we have a matching rule for this packet/flow // and no decision is taken yet if (decision == null) { RuleWildcardsPair match_ret = this.matchWithRule(sw, pi, cntx); FirewallRule rule = match_ret.rule; if (rule == null || rule.action == FirewallRule.FirewallAction.DENY) { decision = new RoutingDecision(sw.getId(), pi.getInPort() , IDeviceService.fcStore. get(cntx, IDeviceService.CONTEXT_SRC_DEVICE), IRoutingDecision.RoutingAction.DROP); decision.setWildcards(match_ret.wildcards); decision.addToContext(cntx); if (logger.isTraceEnabled()) { if (rule == null) logger.trace( "No firewall rule found for PacketIn={}, blocking flow", pi); else if (rule.action == FirewallRule.FirewallAction.DENY) { logger.trace("Deny rule={} match for PacketIn={}", rule, pi); } } } else { decision = new RoutingDecision(sw.getId(), pi.getInPort() , IDeviceService.fcStore. get(cntx, IDeviceService.CONTEXT_SRC_DEVICE), IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD); decision.setWildcards(match_ret.wildcards); decision.addToContext(cntx); if (logger.isTraceEnabled()) logger.trace("Allow rule={} match for PacketIn={}", rule, pi); } } return Command.CONTINUE; } @Override public boolean isEnabled() { return enabled; } }