Firewall REST API
Firewall REST Interface
The Firewall Module exposes REST interface implemented as RestletRoutable using Rest API Service. Following is a list of REST methods exposed:
URI | Method | URI Arguments | Data | Data Fields | Description |
---|---|---|---|---|---|
/wm/firewall/module/status/json | GET | None | None | None | Query the status of the firewall. |
/wm/firewall/module/enable/json | PUT | None | None | None | Enable the firewall. |
/wm/firewall/module/disable/json | PUT | None | None | None | Disable the firewall. |
/wm/firewall/module/subnet-mask/json | GET | None | None | None | Get the firewall's configured subnet mask. |
 | POST | None | {"subnet-mask":"X.X.X.X"} | "subnet-mask":"X.X.X.X", where X.X.X.X is a valid IPv4 subnet mask. | Set the subnet mask of the firewall. |
/wm/firewall/rules/json | GET | None | None | None | List all existing rules in json format. |
 | POST | None | {"<field 1>":"<value 1>", "<field 2>":"<value 2>", ...} | "field":"value" pairs below in any order and combination: | Create new firewall rule. |
 | DELETE | None | {"<ruleid>":"<int>"} | "ruleid": "<int>" | Delete a rule by ruleid. |
Examples using curl
Assume the controller runs on localhost. Show whether the firewall is enabled or disabled.
curl http://localhost:8080/wm/firewall/module/status/json
Enable the firewall. By default firewall denies all traffic unless an explicit ALLOW rule is created.
curl http://localhost:8080/wm/firewall/module/enable/json -X PUT -d ''
Adding an ALLOW rule for all flows to pass through switch 00:00:00:00:00:00:00:01.
curl -X POST -d '{"switchid": "00:00:00:00:00:00:00:01"}' http://localhost:8080/wm/firewall/rules/json
Adding an ALLOW rule for all flows between IP host 10.0.0.3 and host 10.0.1.5. Not specifying action implies ALLOW rule.
curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32"}' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"src-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32"}' http://localhost:8080/wm/firewall/rules/json
Adding an ALLOW rule for all flows between host mac 00:00:00:00:00:0a and host 00:00:00:00:00:0b
curl -X POST -d '{"src-mac": "00:00:00:00:00:0a", "dst-mac": "00:00:00:00:00:0a"}' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"src-mac": "00:00:00:00:00:0b", "dst-mac": "00:00:00:00:00:0b"}' http://localhost:8080/wm/firewall/rules/json
Adding an ALLOW rule for ping to work between IP hosts 10.0.0.3 and 10.0.0.7.
curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"src-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32", "nw-proto":"ICMP" }' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"dst-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32", "nw-proto":"ICMP" }' http://localhost:8080/wm/firewall/rules/json
Adding an ALLOW rule for UDP (such as iperf) to work between IP hosts 10.0.0.4 and 10.0.0.10, and then blocking port 5010.
curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"dst-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "nw-proto":"UDP" }' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"src-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "nw-proto":"UDP" }' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "nw-proto":"UDP", "tp-src":"5010", "action":"DENY" }' http://localhost:8080/wm/firewall/rules/json curl -X POST -d '{"src-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "nw-proto":"UDP", "tp-src":"5010", "action":"DENY" }' http://localhost:8080/wm/firewall/rules/json