trema 0.4.6 → 0.4.7

data/src/examples/transparent_firewall/block-rfc1918.rb

@@ -0,0 +1,86 @@
+#
+# Copyright (C) 2014 Denis Ovsienko
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License, version 2, as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# A sample transparent firewall, see README.md for more information.
+class BlockRFC1918 < Controller
+  PORTS = {
+    outside: 1,
+    inside: 2,
+    inspect: 3
+  }
+
+  PREFIXES = ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'].map do |each|
+    Pio::IPv4Address.new each
+  end
+
+  def switch_ready(dpid)
+    if @dpid
+      info "#{dpid.to_hex}: ignored"
+      return
+    end
+    @dpid = dpid
+    info "#{@dpid.to_hex}: connected"
+    start_loading
+  end
+
+  def switch_disconnected(dpid)
+    return if @dpid != dpid
+    info "#{@dpid.to_hex}: disconnected"
+    @dpid = nil
+  end
+
+  def barrier_reply(dpid, message)
+    return if dpid != @dpid
+    info "#{@dpid.to_hex}: loading finished"
+  end
+
+  private
+
+  def start_loading
+    PREFIXES.each do |each|
+      block_prefix_on_port(each, PORTS[:inside], 5000)
+      block_prefix_on_port(each, PORTS[:outside], 4000)
+    end
+    install_postamble(1500)
+    send_message(@dpid, BarrierRequest.new)
+  end
+
+  def block_prefix_on_port(prefix, port_number, priority)
+    send_flow_mod_add(
+      @dpid,
+      priority: priority + 100,
+      match: Match.new(in_port: port_number, dl_type: 0x0800, nw_src: prefix),
+      actions: SendOutPort.new(PORTS[:inspect]))
+    send_flow_mod_add(
+      @dpid,
+      priority: priority,
+      match: Match.new(in_port: port_number, dl_type: 0x0800, nw_dst: prefix),
+      actions: SendOutPort.new(PORTS[:inspect]))
+  end
+
+  def install_postamble(priority)
+    send_flow_mod_add(
+      @dpid,
+      priority: priority + 100,
+      match: Match.new(in_port: PORTS[:inside]),
+      actions: SendOutPort.new(PORTS[:outside]))
+    send_flow_mod_add(
+      @dpid,
+      priority: priority,
+      match: Match.new(in_port: PORTS[:outside]),
+      actions: SendOutPort.new(PORTS[:inside]))
+  end
+end

data/src/examples/transparent_firewall/pass-delegated.rb

@@ -0,0 +1,178 @@
+#
+# Copyright (C) 2014 Denis Ovsienko
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License, version 2, as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# A sample transparent firewall, see README.md for more information.
+class PassDelegated < Controller
+  PORTS = {
+    outside: 1,
+    inside: 2,
+    inspect: 3
+  }
+
+  PRIORITIES = {
+    bypass: 65_000,
+    prefix: 64_000,
+    inspect: 1000,
+    non_ipv4: 900
+  }
+
+  PREFIX_FILES = %w(afrinic apnic arin lacnic ripencc).map do |each|
+    "aggregated-delegated-#{each}.txt"
+  end
+
+  add_periodic_timer_event :request_flow_stats, 30
+
+  def start
+    @prefixes = PREFIX_FILES.reduce([]) do |result, each|
+      data = IO.readlines(File.join(File.dirname(__FILE__), each))
+      info "#{each}: #{data.size} prefix(es)"
+      result + data
+    end
+  end
+
+  def switch_ready(dpid)
+    if @dpid
+      info "#{dpid.to_hex}: ignored"
+      return
+    end
+    @dpid = dpid
+    info "#{@dpid.to_hex}: connected"
+    start_loading
+  end
+
+  def switch_disconnected(dpid)
+    return if @dpid != dpid
+    info "#{@dpid.to_hex}: disconnected"
+    @dpid = nil
+  end
+
+  def barrier_reply(dpid, message)
+    return if dpid != @dpid
+    case @state
+    when :loading then finish_loading
+    when :running then dump_flow_stats
+    else fail
+    end
+  end
+
+  def stats_reply(dpid, message)
+    return unless dpid == @dpid && message.type == StatsReply::OFPST_FLOW
+    message.stats.each do |each|
+      case each.priority
+      when PRIORITIES[:prefix]
+        @stats.push each if each.byte_count > 0
+      when PRIORITIES[:inspect]
+        @denied_bytes = each.byte_count
+      end
+    end
+  end
+
+  private
+
+  def start_loading
+    install_preamble_and_bypass
+    install_prefixes
+    install_postamble
+    @state = :loading
+    @loading_started = Time.now
+    send_message(@dpid, BarrierRequest.new)
+  end
+
+  # All flows in place, safe to remove bypass.
+  def finish_loading
+    send_flow_mod_delete(
+      @dpid,
+      strict: true,
+      priority: PRIORITIES[:bypass],
+      match: Match.new(in_port: PORTS[:outside]))
+    info '%s: bypass OFF', @dpid.to_hex
+    info('%s: loading finished in %.2f second(s)',
+         @dpid.to_hex, Time.now - @loading_started)
+    @denied_bytes = 0
+    @state = :running
+  end
+
+  def install_preamble_and_bypass
+    send_flow_mod_add(
+      @dpid,
+      priority: PRIORITIES[:bypass],
+      match: Match.new(in_port: PORTS[:inside]),
+      actions: SendOutPort.new(PORTS[:outside]))
+    send_flow_mod_add(
+      @dpid, priority: PRIORITIES[:bypass],
+             match: Match.new(in_port: PORTS[:outside]),
+             actions: SendOutPort.new(PORTS[:inside]))
+    info "#{@dpid.to_hex}: bypass ON"
+  end
+
+  def install_prefixes
+    info "#{@dpid.to_hex}: loading started"
+    @prefixes.each do |each|
+      send_flow_mod_add(
+        @dpid, priority: PRIORITIES[:prefix],
+               match: Match.new(in_port: PORTS[:outside],
+                                dl_type: 0x0800,
+                                nw_src: Pio::IPv4Address.new(each)),
+               actions: SendOutPort.new(PORTS[:inside]))
+    end
+  end
+
+  # Deny any other IPv4 and permit non-IPv4 traffic.
+  def install_postamble
+    send_flow_mod_add(
+      @dpid,
+      priority: PRIORITIES[:inspect],
+      match: Match.new(in_port: PORTS[:outside], dl_type: 0x0800),
+      actions: SendOutPort.new(PORTS[:inspect]))
+    send_flow_mod_add(
+      @dpid,
+      priority: PRIORITIES[:non_ipv4],
+      match: Match.new(in_port: PORTS[:outside]),
+      actions: SendOutPort.new(PORTS[:inside]))
+  end
+
+  def dump_top_flows
+    return unless @stats.size > 0
+    info 'top-10 permitted source prefixes by bytes'
+    @stats.first(10).each do |each|
+      info('%15s/%-2u %u',
+           each.match.nw_src.to_s,
+           each.match.nw_src.prefixlen,
+           each.byte_count)
+    end
+  end
+
+  def dump_flow_stats
+    @stats.sort! do |a, b|
+      1 if a.byte_count < b.byte_count
+      -1 if a.byte_count > b.byte_count
+      0
+    end
+    dump_top_flows
+    info "total denied bytes: #{@denied_bytes}" if @denied_bytes > 0
+    @stats = []
+  end
+
+  # Interested in flows with and without IPv4 prefixes.
+  def request_flow_stats
+    return if @dpid.nil? || @state != :running
+    @stats = []
+    send_message(
+      @dpid,
+      FlowStatsRequest.new(match: Match.new(in_port: PORTS[:outside])))
+    send_message @dpid, BarrierRequest.new
+  end
+end

data/src/examples/transparent_firewall/regen_aggregated.sh

@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# This helper script fetches each RIR's current delegation statistics and
+# produces an aggregated CIDR version of the data.
+
+usage()
+{
+	echo "Usage: $0 [-f]"
+	echo " -f  force data download"
+	exit 1
+}
+
+[ $# -eq 0 -o $# -eq 1 ] || usage
+
+case $# in
+	0) FORCE=0 ;;
+	1)
+		case "$1" in
+			-f) FORCE=1 ;;
+			*)  usage ;;
+		esac
+		;;
+	*) usage ;;
+esac
+
+if ! which aggregate >/dev/null 2>&1; then
+	echo 'Error: "aggregate" is not available!'
+	exit 2
+fi
+if which lftpget >/dev/null 2>&1; then
+	FETCH=lftpget
+elif which wget >/dev/null 2>&1; then
+	FETCH=wget
+elif which curl >/dev/null 2>&1; then
+	FETCH=curl
+else
+	echo 'Error: neither "lftpget" nor "wget" nor "curl" is available!'
+	exit 2
+fi
+
+for rir in afrinic apnic arin lacnic ripencc; do
+	# Fetch NROESF, ARIN has discontinued RIRSEF.
+	dfile=delegated-$rir-extended-latest
+	afile=aggregated-delegated-$rir.txt
+	if [ ! -s $dfile -o $FORCE -eq 1 ]; then
+		[ -s $dfile ] && rm -f $dfile
+		lftpget ftp://ftp.ripe.net/pub/stats/$rir/$dfile
+	fi
+	if [ ! -s $afile -o $dfile -nt $afile ]; then
+		cat $dfile | ./stats-to-cidrs.rb | aggregate > $afile
+		wc -l $afile
+	fi
+done

data/src/examples/transparent_firewall/stats-to-cidrs.rb

@@ -0,0 +1,59 @@
+#!/usr/bin/env ruby
+
+# This helper scripts translates stdin in RIR Statistics Exchange Format [1]
+# or NRO Extended Stats Format [2] into stdout in "dotted-quad/masklen" CIDR
+# format (one CIDR block per line). It processes only assigned/allocated IPv4
+# address ranges and produces one or more CIDR blocks for each range.
+#
+# 1: ftp://ftp.ripe.net/ripe/stats/RIR-Statistics-Exchange-Format.txt
+# 2: https://www.arin.net/knowledge/statistics/nro_extended_stats_format.pdf
+#
+# Copyright (C) 2013 Denis Ovsienko
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License, version 2, as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# "gem install ipaddress" or "yum install rubygem-ipaddress"
+require 'ipaddress'
+
+def max_pow2_denominating(x)
+  denominators =
+    { 2**24 => 24, 2**23 => 23, 2**22 => 22, 2**21 => 21, 2**20 => 20,
+      2**19 => 19, 2**18 => 18, 2**17 => 17, 2**16 => 16, 2**15 => 15,
+      2**14 => 14, 2**13 => 13, 2**12 => 12, 2**11 => 11, 2**10 => 10,
+      2**9 => 9, 2**8 => 8, 2**7 => 7, 2**6 => 6, 2**5 => 5, 2**4 => 4,
+      2**3 => 3 }
+  denominators.each do |pow, index|
+    return index if x % pow == 0
+  end
+  fail(ArgumentError)
+end
+
+def max_pow2_not_greater(x)
+  Integer(Math.log2(x))
+end
+
+re = /\|ipv4\|([\d\.]+)\|(\d+)\|\d+\|(?:allocated|assigned)/
+ARGF.each_line do |line|
+  next if (match = re.match(line)).nil?
+  start = IPAddress::IPv4.new(match[1]).u32
+  count = Integer(match[2])
+  fail(ArgumentError, '/8 is the largest allowed prefix') if count > 2**24
+  while count > 0
+    idx2 = [max_pow2_denominating(start), max_pow2_not_greater(count)].min
+    fail(ArgumentError, '/29 is the smallest allowed prefix') if idx2 < 3
+    puts(IPAddress::IPv4.parse_u32(start, 32 - idx2).to_string)
+    start += 2**idx2
+    count -= 2**idx2
+  end
+end

data/src/lib/messenger.c

@@ -192,7 +192,8 @@ typedef struct send_queue {
 
 #define MESSENGER_RECV_BUFFER 100000
 static const uint32_t messenger_send_queue_length = MESSENGER_RECV_BUFFER * 4;
-static const uint32_t messenger_send_length_for_flush = MESSENGER_RECV_BUFFER;
+static const uint32_t messenger_flush_limit_length = MESSENGER_RECV_BUFFER * 2;
+static const uint32_t messenger_flush_length = MESSENGER_RECV_BUFFER / 4;
 static const uint32_t messenger_bucket_size = MESSENGER_RECV_BUFFER;
 static const uint32_t messenger_recv_queue_length = MESSENGER_RECV_BUFFER * 2;
 static const uint32_t messenger_recv_queue_reserved = MESSENGER_RECV_BUFFER;
@@ -885,10 +886,6 @@ send_queue_connect( send_queue *sq ) {
   set_fd_handler( sq->server_socket, on_send_read, sq, on_send_write, sq );
   set_readable( sq->server_socket, true );
 
-  if ( sq->buffer != NULL && sq->buffer->data_length >= sizeof( message_header ) ) {
-    set_writable( sq->server_socket, true );
-  }
-
   debug( "Connection established ( service_name = %s, sun_path = %s, fd = %d ).",
          sq->service_name, sq->server_addr.sun_path, sq->server_socket );
 
@@ -899,6 +896,14 @@ send_queue_connect( send_queue *sq ) {
 
   send_dump_message( MESSENGER_DUMP_SEND_CONNECTED, sq->service_name, NULL, 0 );
 
+  if ( sq->buffer != NULL && sq->buffer->data_length >= sizeof( message_header ) ) {
+    set_writable( sq->server_socket, true );
+    if ( sq->buffer->data_length >= messenger_flush_length &&
+         sq->buffer->data_length < messenger_flush_limit_length ) {
+      on_send_write( sq->server_socket, sq );
+    }
+  }
+
   return 1;
 }
 
@@ -1101,6 +1106,10 @@ push_message_to_send_queue( const char *service_name, const uint8_t message_type
   }
 
   set_writable( sq->server_socket, true );
+  if ( sq->buffer->data_length >= messenger_flush_length &&
+       sq->buffer->data_length < messenger_flush_limit_length ) {
+    on_send_write( sq->server_socket, sq );
+  }
 
   return true;
 }

data/src/lib/openflow_message.c

@@ -2487,11 +2487,6 @@ validate_port_stats_request( const buffer *message ) {
 
   port_stats_request = ( struct ofp_port_stats_request * ) stats_request->body;
 
-  ret = validate_phy_port_no( ntohs( port_stats_request->port_no ) );
-  if ( ret < 0 ) {
-    return ret;
-  }
-
   if ( ntohs( port_stats_request->port_no ) > OFPP_MAX
        && ntohs( port_stats_request->port_no ) != OFPP_NONE
        && ntohs( port_stats_request->port_no ) != OFPP_LOCAL ) {

data/tasks/rubocop.rake

@@ -0,0 +1,22 @@
+begin
+  require 'rubocop/rake_task'
+  Rubocop::RakeTask.new do |task|
+    task.patterns =
+      [
+        'Gemfile',
+        'Rakefile',
+        'bin/*',
+        'cruise.rb',
+        'features/**/*.rb',
+        'ruby/**/*.rb',
+        'spec/**/*.rb',
+        'src/**/*.rb',
+        'tasks/*.rake',
+        'trema.gemspec'
+      ]
+  end
+rescue LoadError
+  task :rubocop do
+    $stderr.puts 'Rubocop is disabled'
+  end
+end