Commit 34197891 by Guba Sándor

net: added not managed network MAC address ban

parent 3a347f2c
...@@ -2,6 +2,32 @@ import subprocess ...@@ -2,6 +2,32 @@ import subprocess
import logging import logging
from netcelery import celery from netcelery import celery
from os import getenv
from vm import VMNetwork
driver = getenv("HYPERVISOR_TYPE", "test")
@celery.task
def create(network):
port_create(VMNetwork.deserialize(network))
@celery.task
def delete(network):
port_delete(VMNetwork.deserialize(network))
def add_tuntap_interface(if_name):
'''For testing purpose only adding tuntap interface.
'''
subprocess.call(['sudo', 'ip', 'tuntap', 'add', 'mode', 'tap', if_name])
def del_tuntap_interface(if_name):
'''For testing purpose only deleting tuntap interface.
'''
subprocess.call(['sudo', 'ip', 'tuntap', 'del', 'mode', 'tap', if_name])
def ovs_command_execute(command): def ovs_command_execute(command):
...@@ -24,18 +50,6 @@ def ofctl_command_execute(command): ...@@ -24,18 +50,6 @@ def ofctl_command_execute(command):
return return_val return return_val
@celery.task
def create(network_list):
for network in network_list:
port_create(network)
@celery.task
def delete(network_list):
for network in network_list:
port_delete(network)
def build_flow_rule( def build_flow_rule(
in_port=None, in_port=None,
dl_src=None, dl_src=None,
...@@ -92,6 +106,16 @@ def del_port_from_bridge(network_name): ...@@ -92,6 +106,16 @@ def del_port_from_bridge(network_name):
ovs_command_execute(['del-port', network_name]) ovs_command_execute(['del-port', network_name])
def mac_filter(network, port_number, delete=False):
if not delete:
flow_cmd = build_flow_rule(in_port=port_number, dl_src=network.mac,
priority="40000", actions="normal")
ofctl_command_execute(["add-flow", network.bridge, flow_cmd])
else:
flow_cmd = build_flow_rule(in_port=port_number, dl_src=network.mac)
ofctl_command_execute(["del-flows", network.bridge, flow_cmd])
def ban_dhcp_server(network, port_number, delete=False): def ban_dhcp_server(network, port_number, delete=False):
if not delete: if not delete:
flow_cmd = build_flow_rule(in_port=port_number, dl_src=network.mac, flow_cmd = build_flow_rule(in_port=port_number, dl_src=network.mac,
...@@ -155,7 +179,7 @@ def enable_dhcp_client(network, port_number, delete=False): ...@@ -155,7 +179,7 @@ def enable_dhcp_client(network, port_number, delete=False):
def disable_all_not_allowed_trafic(network, port_number, delete=False): def disable_all_not_allowed_trafic(network, port_number, delete=False):
if not delete: if not delete:
flow_cmd = build_flow_rule(in_port=port_number, flow_cmd = build_flow_rule(in_port=port_number,
priority="39000", actions="drop") priority="30000", actions="drop")
ofctl_command_execute(["add-flow", network.bridge, flow_cmd]) ofctl_command_execute(["add-flow", network.bridge, flow_cmd])
else: else:
flow_cmd = build_flow_rule(in_port=port_number) flow_cmd = build_flow_rule(in_port=port_number)
...@@ -163,8 +187,12 @@ def disable_all_not_allowed_trafic(network, port_number, delete=False): ...@@ -163,8 +187,12 @@ def disable_all_not_allowed_trafic(network, port_number, delete=False):
def port_create(network): def port_create(network):
''' Adding port to bridge apply rules and pull up interface.
''' '''
''' # For testing purpose create tuntap iface
if driver == "test":
add_tuntap_interface(network.name)
# Create the port for virtual network # Create the port for virtual network
add_port_to_bridge(network.name, network.bridge) add_port_to_bridge(network.name, network.bridge)
# Set VLAN parameter for tap interface # Set VLAN parameter for tap interface
...@@ -175,12 +203,18 @@ def port_create(network): ...@@ -175,12 +203,18 @@ def port_create(network):
# Set Flow rules to avoid mac or IP spoofing # Set Flow rules to avoid mac or IP spoofing
if network.managed: if network.managed:
# Allow traffic from fource MAC and IP
ban_dhcp_server(network, port_number) ban_dhcp_server(network, port_number)
ipv4_filter(network, port_number) ipv4_filter(network, port_number)
ipv6_filter(network, port_number) ipv6_filter(network, port_number)
arp_filter(network, port_number) arp_filter(network, port_number)
enable_dhcp_client(network, port_number) enable_dhcp_client(network, port_number)
else:
# Allow all traffic from source MAC address
mac_filter(network, port_number)
# Explicit deny all other traffic
disable_all_not_allowed_trafic(network, port_number) disable_all_not_allowed_trafic(network, port_number)
pull_up_interface(network)
def port_delete(network): def port_delete(network):
...@@ -201,6 +235,10 @@ def port_delete(network): ...@@ -201,6 +235,10 @@ def port_delete(network):
# Delete port # Delete port
del_port_from_bridge(network.name) del_port_from_bridge(network.name)
# For testing purpose dele tuntap iface
if driver == "test":
del_tuntap_interface(network.name)
def pull_up_interface(network): def pull_up_interface(network):
command = ['sudo', 'ip', 'link', 'set', 'up', network] command = ['sudo', 'ip', 'link', 'set', 'up', network]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment