Wednesday, January 31, 2018

openflow switch, openvswitch with ryu as the controller

***info***
controller ip:192.168.12.35



*** on controller ***

1- install package
$ sudo apt-get install ryu-bin

2- configure ryu as below ( /etc/ryu/ryu.conf)
[DEFAULT]
log_config_file=/etc/ryu/log.conf
app_lists = ryu.app.simple_switch_13,ryu.app.ofctl_rest

wsapi_host = 0.0.0.0
wsapi_port = 8080
ofp_listen_host = 0.0.0.0
ofp_tcp_listen_port = 6633





3- restart the the controller and it ready
$ sudo /etc/init.d/ryu restart


*** switch ***
1- install package
$ sudo apt-get install openvswitch-switch

1- configure switch
$ sudo ovs-vsctl add-br br0
$ sudo ovs-vsctl set bridge br0 protocols=OpenFlow10,OpenFlow11,OpenFlow12,OpenFlow13
$ sudo ovs-vsctl set-controller br0 tcp:192.168.12.35:6633

-- add port and enable port
$ sudo ovs-vsctl add-port br0 enp0s8
$ sudo ovs-vsctl add-port br0 enp0s9
$ sudo ovs-vsctl add-port br0 enp0s10
$ sudo ifconfig  br0 up


$sudo ifconfig  enp0s8 up
$ sudo ifconfig  enp0s9 up
$ sudo ifconfig  enp0s10 up



now the it is operational,  clients that connect to  those3 port will be able to reach each other


****  edit an app***
for example our client has mas address, 08:00:27:d5:75:d9, and we want to hard coded on our app to drop  any packets from that client
 app file: /usr/lib/python3/dist-packages/ryu/app/simple_switch_13d.py  and content below
from ryu.base import app_manager
from ryu.controller import ofp_event
from ryu.controller.handler import CONFIG_DISPATCHER, MAIN_DISPATCHER
from ryu.controller.handler import set_ev_cls
from ryu.ofproto import ofproto_v1_3
from ryu.lib.packet import packet
from ryu.lib.packet import ethernet
from ryu.lib.packet import ether_types
class SimpleSwitch13(app_manager.RyuApp):
    OFP_VERSIONS = [ofproto_v1_3.OFP_VERSION]
    def __init__(self, *args, **kwargs):
        super(SimpleSwitch13, self).__init__(*args, **kwargs)
        self.mac_to_port = {}
    @set_ev_cls(ofp_event.EventOFPSwitchFeatures, CONFIG_DISPATCHER)
    def switch_features_handler(self, ev):
        datapath = ev.msg.datapath
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser
        match = parser.OFPMatch()
        actions = [parser.OFPActionOutput(ofproto.OFPP_CONTROLLER,
                                          ofproto.OFPCML_NO_BUFFER)]
        self.add_flow(datapath, 0, match, actions)
    def add_flow(self, datapath, priority, match, actions, buffer_id=None):
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser
        inst = [parser.OFPInstructionActions(ofproto.OFPIT_APPLY_ACTIONS,
                                             actions)]
        if buffer_id:
            mod = parser.OFPFlowMod(datapath=datapath, buffer_id=buffer_id,
                                    priority=priority, match=match,
                                    instructions=inst)
        else:
            mod = parser.OFPFlowMod(datapath=datapath, priority=priority,
                                    match=match, instructions=inst)
        datapath.send_msg(mod)
    @set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)
    def _packet_in_handler(self, ev):
        if ev.msg.msg_len < ev.msg.total_len:
            self.logger.debug("packet truncated: only %s of %s bytes",
                              ev.msg.msg_len, ev.msg.total_len)
        msg = ev.msg
        datapath = msg.datapath
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser
        in_port = msg.match['in_port']
        pkt = packet.Packet(msg.data)
        eth = pkt.get_protocols(ethernet.ethernet)[0]
        if eth.ethertype == ether_types.ETH_TYPE_LLDP:
            return
        dst = eth.dst
        src = eth.src
        dpid = datapath.id
        self.mac_to_port.setdefault(dpid, {})
        self.logger.info("packet in %s %s %s %s", dpid, src, dst, in_port)
        self.mac_to_port[dpid][src] = in_port
        if dst in self.mac_to_port[dpid]:
            out_port = self.mac_to_port[dpid][dst]
        elif dst == "08:00:27:d5:75:d9":
            out_port= ofproto.OFPC_FRAG_DROP
        else:
            out_port = ofproto.OFPP_FLOOD
        actions = [parser.OFPActionOutput(out_port)]
        if out_port != ofproto.OFPP_FLOOD:
            match = parser.OFPMatch(in_port=in_port, eth_dst=dst)
            if msg.buffer_id != ofproto.OFP_NO_BUFFER:
                self.add_flow(datapath, 1, match, actions, msg.buffer_id)
                return
            else:
                self.add_flow(datapath, 1, match, actions)
        data = None
        if msg.buffer_id == ofproto.OFP_NO_BUFFER:
            data = msg.data
        out = parser.OFPPacketOut(datapath=datapath, buffer_id=msg.buffer_id,
                                  in_port=in_port, actions=actions, data=data)
        datapath.send_msg(out)


to use it update our ryu.conf  with below
[DEFAULT]
log_config_file=/etc/ryu/log.conf
app_lists = ryu.app.simple_switch_13d,ryu.app.ofctl_rest

wsapi_host = 0.0.0.0
wsapi_port = 8080
ofp_listen_host = 0.0.0.0
ofp_tcp_listen_port = 6633



now all packets from that host will be dropped



****rest command*****

-list switch
$ curl -X GET http://localhost:8080/stats/switches

-list firewall status
$ curl http://localhost:8080/firewall/module/status

-gett firewall rule from switch ip xxxxxxxxxx
$ curl -X GET http://localhost:8080/firewall/rules/000008002734600a | python -m json.tool

-add firewall rule
$ curl -X POST -d  '{"nw_src": "192.168.58.80/32", "nw_dst": "192.168.58.22/32", "nw_proto": "ICMP", "actions": "DENY", "priority": "10"}' http://localhost:8080/firewall/rules/000008002734600a


- delete firewall rule
$ curl -X DELETE -d '{"rule_id": "12"}' http://localhost:8080/firewall/rules/000008002734600a

- list switch flows
$ curl -X GET http://localhost:8080/stats/flow/290271735463054


-list switch description
$ curl -X GET http://localhost:8080/stats/desc/290271735463054

-list table
$ curl -X GET http://localhost:8080/stats/table/290271735463054

-list port
$ curl -X GET http://localhost:8080/stats/port/290271735463054

-list table feature
$  curl -X GET http://localhost:8080/stats/tablefeatures/8796750766090

No comments:

Post a Comment