Session 3
Firewall and NAT
Test Case: Block UDP
sudo mn --topo single,5 --mac --arp --switch ovsk --controller remote
mininet> pingall
mininet> h2 echo Hello > send; nc -lu 1234 < send > recv &
mininet> h4 echo Hi > send; nc -u 10.0.0.2 1234 < send > recv &
mininet> h2 killall nc
mininet> h4 killall nc
mininet> h2 wc -l recv
0 recv
mininet> h4 wc -l recv
0 recv
mininet> exit
sudo mn -c
Test Case: Block Telnet
sudo mn --topo single,5 --mac --arp --switch ovsk --controller remote
mininet> pingall
mininet> h1 echo Hello > send; nc -l 23 < send > recv &
mininet> h5 echo Hi > send; nc 10.0.0.1 23 < send > recv &
mininet> h1 killall nc
mininet> h5 killall nc
mininet> h1 wc -l recv
0 recv
mininet> h5 wc -l recv
0 recv
mininet> exit
sudo mn -c
Test Case: NAT
sudo mn --topo single,5 --mac --arp --switch ovsk --controller remote
mininet> pingall
mininet> h3 echo Hello > send; nc -l 443 < send > recv &
mininet> h5 echo Hi > send; nc 10.0.0.3 80 < send > recv &
mininet> h3 killall nc
mininet> h5 killall nc
mininet> h3 wc -l recv
0 recv
mininet> h5 wc -l recv
0 recv
mininet> exit
sudo mn -c
Firewall Design
When switch connects, install the following rules:
- Match: dl_type=0x0800, nw_proto=17
Priority: 2
Action: none
- Match: dl_type=0x0800, nw_proto=6, tp_src=23
Priority: 2
Action: none
- Match: dl_type=0x0800, nw_proto=6, tp_dst=23
Priority: 2
Action: none
When packet is received and the MAC address was not know, install the
following rule:
- Match: dl_src=learned_mac
Priority: 1
Action: output:in_port
NAT Design
When switch connects, install the following rules:
- Match: dl_type=0x0800, nw_proto=6, tp_dst=80
Priority: 2
Action: controller
When packet is received:
- If the MAC address was not know, install the following rule:
- Match: dl_src=learned_mac
Priority: 1
Action: output:in_port
- If the packet is a TCP packet and the destination port is 80, install
the following rules:
- Match: dl_type=0x0800, nw_src=packet.nw_src,
nw_dst=packet.nw_dst, nw_proto=6, tp_dst=80,
tp_src=packet.tp_src
Priority: 3
Action: tp_dst:443, output:learned_port
- Match: dl_type=0x0800, nw_src=packet.nw_dst,
nw_dst=packet.nw_src, nw_proto=6, tp_src=443,
tp_dst=packet.tp_src
Priority: 3
Action: tp_dst:80, output:in_port
Round-Robin Load Balancer
Skeleton
We have provided skeleton code for
Floodlight.
Design
Floodlight Coding Hints
- The following actions will allow you to change fields in the packets:
OFActionDataLayerDestination
-- changes the destination
MAC
OFActionDataLayerSource
-- changes the source
MAC
OFActionNetworkLayerDestination
-- changes the destination
IP
OFActionNetworkLayerSource
-- changes the source
IP
- When you install the last rule (in a sequence of rule installations), you
should add a flush:
sw.flush();
Extensions & Optimizations
- Modify the round-robin server assignment to be weighted based on the number
of packets sent to each server over a given time period.
- Obey the round-robin load balancing semantics, but install as few rules as
possible. Hint: What are the minimum match fields necessary to properly
return traffic from the server to the client?
- Avoid the need to install static ARP entries for the special "load
balancer" IP address (10.0.0.254) by having the controller respond to ARP
packets. Hint: You will need to construct the ARP reply packet at the
controller and send it to the switch for forwarding.