Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

The Floodlight contains a firewall application that enforces ACL in a reactive way. In a reactive way, the controller enforces ACL rules by monitoring Packet-in messages and then pushing relevant flow entries. However in a proactive way, the controller enforces ACL rules without being requested by the switch, thus to avoid additional delays. 

This ACL application parses user's REST request for ACL updating and enforces that by static flow entries in a proactive way without monitoring Packet-in messages. It can also remove ACL flow entry it generated timely when related ACL rule is removed. 

Issues

There are some issues you should know before using the ACL application:

  • In the application, earlier added ACL rule always has higher priority because the application enforces ACL rules at the time they are added, so the order to add ACL rules is critical. The application handles the priority carefully so that earlier generated ACL flow entry in the same switch always has higher priority(max to 30000), so as to ensure the priority definition in ACL rules.
  • All the ACL flow entries the application generated are static flow entries named like: "ACLRule_[Rule Id]_[Switch_DPID]", which can be operated by the Static Flow Pusher API.
  • The application is used for filtering IP packets between different hosts, so the user has to specific either src-ip or dst. The application enforces a new ACL rule by its src-ip attribute by default, that is to say, pushes ACL flow entries into the ingress switches connecting to the host with the source IP address defined in src-ip. The application is also able to enforce a new ACL rule without src-ip attribute value, which means the rule works on all source IP addresses in the network. In such situation, it pushes ACL flow entries into the egress switches relevant to the rule's dst-ip attribute rather than all the ingress switches in the network.
  • The application allows all flows by default, the ACL rule with "ALLOW" action is just used to subtract the allowing flow from the denying flow which has a larger match range, e.g. "allow flow with src-ip 10.0.0.1/32 but deny all other flows with src-ip 10.0.0.0/24". An ACL rule with "ALLOW" action will be mapped into ACL flow entries with "Output to controller" action so as to let the controller determine how to forward that flow.

...

The application will generate an distinct id for every new added rule. 

Properties of

...

an ACL rule:

KeyValueNotes
nw-protostring"TCP" or "UDP" or "ICMP" (ignoring case)
src-ipIPv4 address[/mask]Either src-ip or dst-ip must be specified.
dst-ipIPv4 address[/mask]Either src-ip or dst-ip must be specified.
tp-dstnumberValid when nw-proto == "TCP" or "UDP".
actionstring"DENY" or "ALLOW" (ignoring case), set to "DENY" if not specified.

...