Firewall REST API

Firewall REST Interface

The Firewall Module exposes REST interface implemented as RestletRoutable using Rest API Service. Following is a list of REST methods exposed:

URI

Method

URI Arguments

Data

Data Fields

Description

/wm/firewall/module/status/json

GET

None

None

None

Query the status of the firewall.

/wm/firewall/module/enable/jsonPUTNoneNoneNoneEnable the firewall.
/wm/firewall/module/disable/jsonPUTNoneNoneNoneDisable the firewall.
/wm/firewall/module/subnet-mask/jsonGETNoneNoneNoneGet the firewall's configured subnet mask.
 POSTNone{"subnet-mask":"X.X.X.X"}"subnet-mask":"X.X.X.X", where X.X.X.X is a valid IPv4 subnet mask.Set the subnet mask of the firewall.

/wm/firewall/rules/json

GET

None

None

None

List all existing rules in json format.

 

POST

None

{"<field 1>":"<value 1>", "<field 2>":"<value 2>", ...}

"field":"value" pairs below in any order and combination:
"switchid":"<xx:xx:xx:xx:xx:xx:xx:xx>", "src-inport":"<short>", 
"src-mac": "<xx:xx:xx:xx:xx:xx>", "dst-mac": "<xx:xx:xx:xx:xx:xx>", 
"dl-type": "<ARP or IPv4>", "src-ip": "<A.B.C.D/M>", "dst-ip": "<A.B.C.D/M>", 
"nw-proto": "<TCP or UDP or ICMP>", "tp-src": "<short>", "tp-dst": "<short>", 
"priority": "<int>", "action": "<ALLOW or DENY>"

Note: specifying src-ip/dst-ip without specifying dl-type as ARP, or specifying any IP-based nw-proto will automatically set dl-type to match IPv4.

Create new firewall rule.

 

DELETE

None

{"<ruleid>":"<int>"}

"ruleid": "<int>"
Note: ruleid is a random number generated and returned in the json response upon successful creation

Delete a rule by ruleid.

Examples using curl

Assume the controller runs on localhost. Show whether the firewall is enabled or disabled.

curl http://localhost:8080/wm/firewall/module/status/json

Enable the firewall. By default firewall denies all traffic unless an explicit ALLOW rule is created.

curl http://localhost:8080/wm/firewall/module/enable/json -X PUT -d ''

Adding an ALLOW rule for all flows to pass through switch 00:00:00:00:00:00:00:01.

curl -X POST -d '{"switchid": "00:00:00:00:00:00:00:01"}' http://localhost:8080/wm/firewall/rules/json

Adding an ALLOW rule for all flows between IP host 10.0.0.3 and host 10.0.1.5. Not specifying action implies ALLOW rule.

curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32"}' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32"}' http://localhost:8080/wm/firewall/rules/json

Adding an ALLOW rule for all flows between host mac 00:00:00:00:00:0a and host 00:00:00:00:00:0b

curl -X POST -d '{"src-mac": "00:00:00:00:00:0a", "dst-mac": "00:00:00:00:00:0a"}' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-mac": "00:00:00:00:00:0b", "dst-mac": "00:00:00:00:00:0b"}' http://localhost:8080/wm/firewall/rules/json

Adding an ALLOW rule for ping to work between IP hosts 10.0.0.3 and 10.0.0.7.

curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32", "dl-type":"ARP" }'   http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json

curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32", "nw-proto":"ICMP" }' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"dst-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32", "nw-proto":"ICMP" }' http://localhost:8080/wm/firewall/rules/json

Adding an ALLOW rule for UDP (such as iperf) to work between IP hosts 10.0.0.4 and 10.0.0.10, and then blocking port 5010.

curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"dst-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json

curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "nw-proto":"UDP" }' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "nw-proto":"UDP" }' http://localhost:8080/wm/firewall/rules/json

curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "nw-proto":"UDP", "tp-src":"5010", "action":"DENY" }' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "nw-proto":"UDP", "tp-src":"5010", "action":"DENY" }' http://localhost:8080/wm/firewall/rules/json