forked from faucetsdn/ryu
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathportknock.py
93 lines (76 loc) · 3.48 KB
/
portknock.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
import logging
from ryu.base import app_manager
from ryu.controller import ofp_event
from ryu.controller.handler import CONFIG_DISPATCHER
from ryu.controller.handler import set_ev_cls
import ryu.ofproto.ofproto_v1_3 as ofproto
import ryu.ofproto.ofproto_v1_3_parser as ofparser
import ryu.ofproto.beba_v1_0 as bebaproto
import ryu.ofproto.beba_v1_0_parser as bebaparser
LOG = logging.getLogger('app.beba.portknock')
""" Last port is the one to be opened after knocking all the others """
port_list = [10, 11, 12, 13, 22]
final_port = port_list[-1]
second_last_port = port_list[-2]
LOG.info("Port knock sequence is %s" % port_list[0:-1])
LOG.info("Final port to open is %s" % port_list[-1])
class BebaPortKnocking(app_manager.RyuApp):
def __init__(self, *args, **kwargs):
super(BebaPortKnocking, self).__init__(*args, **kwargs)
@set_ev_cls(ofp_event.EventOFPSwitchFeatures, CONFIG_DISPATCHER)
def switch_features_handler(self, ev):
msg = ev.msg
datapath = msg.datapath
LOG.info("Configuring switch %d..." % datapath.id)
""" Set table 0 as stateful """
req = bebaparser.OFPExpMsgConfigureStatefulTable(datapath=datapath,
table_id=0,
stateful=1)
datapath.send_msg(req)
""" Set lookup extractor = {ip_src} """
req = bebaparser.OFPExpMsgKeyExtract(datapath=datapath,
command=bebaproto.OFPSC_EXP_SET_L_EXTRACTOR,
fields=[ofproto.OXM_OF_IPV4_SRC],
table_id=0)
datapath.send_msg(req)
""" Set update extractor = {ip_src} (same as lookup) """
req = bebaparser.OFPExpMsgKeyExtract(datapath=datapath,
command=bebaproto.OFPSC_EXP_SET_U_EXTRACTOR,
fields=[ofproto.OXM_OF_IPV4_SRC],
table_id=0)
datapath.send_msg(req)
""" ARP packets flooding """
match = ofparser.OFPMatch(eth_type=0x0806)
actions = [ofparser.OFPActionOutput(ofproto.OFPP_FLOOD)]
self.add_flow(datapath=datapath, table_id=0, priority=100,
match=match, actions=actions)
""" Flow entries for port knocking """
for i in range(len(port_list)):
match = ofparser.OFPMatch(eth_type=0x0800, ip_proto=17,
state=i, udp_dst=port_list[i])
if port_list[i] != final_port and port_list[i] != second_last_port:
# If state not OPEN, set state and drop (implicit)
actions = [bebaparser.OFPExpActionSetState(state=i+1, table_id=0, idle_timeout=5)]
elif port_list[i] == second_last_port:
# In the transaction to the OPEN state, the timeout is set to 10 sec
actions = [bebaparser.OFPExpActionSetState(state=i+1, table_id=0, idle_timeout=10)]
else:
actions = [ofparser.OFPActionOutput(2)]
self.add_flow(datapath=datapath, table_id=0, priority=10,
match=match, actions=actions)
""" Get back to DEFAULT if wrong knock (UDP match, lowest priority) """
match = ofparser.OFPMatch(eth_type=0x0800, ip_proto=17)
actions = [bebaparser.OFPExpActionSetState(state=0, table_id=0)]
self.add_flow(datapath=datapath, table_id=0, priority=0,
match=match, actions=actions)
""" Test port 1300, always forward on port 2 """
match = ofparser.OFPMatch(eth_type=0x0800, ip_proto=17, udp_dst=1300)
actions = [ofparser.OFPActionOutput(2)]
self.add_flow(datapath=datapath, table_id=0, priority=10,
match=match, actions=actions)
def add_flow(self, datapath, table_id, priority, match, actions):
inst = [ofparser.OFPInstructionActions(
ofproto.OFPIT_APPLY_ACTIONS, actions)]
mod = ofparser.OFPFlowMod(datapath=datapath, table_id=table_id,
priority=priority, match=match, instructions=inst)
datapath.send_msg(mod)