Firewall REST Interface

The Firewall Module exposes REST interface implemented as RestletRoutable using Rest API Service. Following is a list of REST methods exposed:

URI	Method	URI Arguments	Data	Data Fields	Description
/wm/firewall/module/status/json	GET	None	None	None	Query the status of the firewall.
/wm/firewall/module/enable/json	PUT	None	None	None	Enable the firewall.
/wm/firewall/module/disable/json	PUT	None	None	None	Disable the firewall.
/wm/firewall/module/subnet-mask/json	GET	None	None	None	Get the firewall's configured subnet mask.
	POST	None	{"subnet-mask":"X.X.X.X"}	"subnet-mask":"X.X.X.X", where X.X.X.X is a valid IPv4 subnet mask.	Set the subnet mask of the firewall.
/wm/firewall/rules/json	GET	None	None	None	List all existing rules in json format.
	POST	None	{"<field 1>":"<value 1>", "<field 2>":"<value 2>", ...}	"field":"value" pairs below in any order and combination: "switchid":"<xx:xx:xx:xx:xx:xx:xx:xx>", "src-inport":"<short>", "src-mac": "<xx:xx:xx:xx:xx:xx>", "dst-mac": "<xx:xx:xx:xx:xx:xx>", "dl-type": "<ARP or IPv4>", "src-ip": "<A.B.C.D/M>", "dst-ip": "<A.B.C.D/M>", "nw-proto": "<TCP or UDP or ICMP>", "tp-src": "<short>", "tp-dst": "<short>", "priority": "<int>", "action": "<ALLOW or DENY>" Note: specifying src-ip/dst-ip without specifying dl-type as ARP, or specifying any IP-based nw-proto will automatically set dl-type to match IPv4.	Create new firewall rule.
	DELETE	None	{"<ruleid>":"<int>"}	"ruleid": "<int>" Note: ruleid is a random number generated and returned in the json response upon successful creation	Delete a rule by ruleid.

Examples using curl

Assume the controller runs on localhost. Show whether the firewall is enabled or disabled.

curl http://localhost:8080/wm/firewall/module/status/json

Enable the firewall. By default firewall denies all traffic unless an explicit ALLOW rule is created.

curl http://localhost:8080/wm/firewall/module/enable/json -X PUT -d ''

Adding an ALLOW rule for all flows to pass through switch 00:00:00:00:00:00:00:01.

curl -X POST -d '{"switchid": "00:00:00:00:00:00:00:01"}' http://localhost:8080/wm/firewall/rules/json

Adding an ALLOW rule for all flows between IP host 10.0.0.3 and host 10.0.1.5. Not specifying action implies ALLOW rule.

curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32"}' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32"}' http://localhost:8080/wm/firewall/rules/json

Adding an ALLOW rule for all flows between host mac 00:00:00:00:00:0a and host 00:00:00:00:00:0b

curl -X POST -d '{"src-mac": "00:00:00:00:00:0a", "dst-mac": "00:00:00:00:00:0a"}' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-mac": "00:00:00:00:00:0b", "dst-mac": "00:00:00:00:00:0b"}' http://localhost:8080/wm/firewall/rules/json

Adding an ALLOW rule for ping to work between IP hosts 10.0.0.3 and 10.0.0.7.

curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32", "dl-type":"ARP" }'   http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json

curl -X POST -d '{"src-ip": "10.0.0.3/32", "dst-ip": "10.0.0.7/32", "nw-proto":"ICMP" }' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"dst-ip": "10.0.0.7/32", "dst-ip": "10.0.0.3/32", "nw-proto":"ICMP" }' http://localhost:8080/wm/firewall/rules/json

Adding an ALLOW rule for UDP (such as iperf) to work between IP hosts 10.0.0.4 and 10.0.0.10, and then blocking port 5010.

curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"dst-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "dl-type":"ARP" }' http://localhost:8080/wm/firewall/rules/json

curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "nw-proto":"UDP" }' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "nw-proto":"UDP" }' http://localhost:8080/wm/firewall/rules/json

curl -X POST -d '{"src-ip": "10.0.0.4/32", "dst-ip": "10.0.0.10/32", "nw-proto":"UDP", "tp-src":"5010", "action":"DENY" }' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.0.10/32", "dst-ip": "10.0.0.4/32", "nw-proto":"UDP", "tp-src":"5010", "action":"DENY" }' http://localhost:8080/wm/firewall/rules/json