Skip to content

Commit

Permalink
Firewall - Examples fix and doc enhancement (#296)
Browse files Browse the repository at this point in the history 
* Fixed typo in Tutorial4
* [FIX] Firewall examples and doc improvement

This commit aims to fix all the firewall examples which, unfortunately,
were referring to an older version of the service. An additional script
to clear the environment has been created and linked into the doc.

Signed-off-by: Simone Magnani <simonemagnani.96@gmail.com>
  • Loading branch information
@s41m0n
s41m0n committed May 14, 2020
1 parent 16bcb4e commit b4a128e
Show file tree
Hide file tree
Showing 14 changed files with 162 additions and 160 deletions.
2 changes: 1 addition & 1 deletion Documentation/tutorials/tutorial4/tutorial4.rst
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Tutorial 4: Attach/Detatch multiple transparent cubes
Tutorial 4: Attach multiple transparent cubes
=============================================================

This simple tutorial aims to show how multiple cubes can be attached to the same interface/port. For the sake of semplicity the configuration presented in this tutorial is really simple, but enough to undestand the principle behind these operations.
Expand Down
19 changes: 15 additions & 4 deletions src/services/pcn-firewall/examples/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,24 @@
The example folder contains a set of simple scripts to understand how the firewall service and cli works.

## Prerequisites
All scripts assume that polycubed has been already launched, and that there are two namespaces already created and configured. To create the namespaces, please execute the script [setup_veth.sh](./setup_veth.sh).
All scripts assume that polycubed has been already launched, and that there is a standard cube running with two ports belonging to two namespaces already created and configured. Moreover, a firewall instance should be running and attached to one of the standard cube's port.
To set up all the needed components, please execute the script [setup_env.sh](./setup_env.sh).

## Examples:
- [Ping](./allow_ping.sh): Connects the two namespaces using the firewall service, and allows only the ICMP echo requests/responses. In order to test that the configuration succeeded, you can launch the script [test_ping.sh](./test_ping.sh).
- [TCP](./allow_tcp.sh): Connects the two namespaces using the firewall service, and allows only the TCP traffic. In order to test that the configuration succeeded, you can launch the script [test_tcp.sh](./test_tcp.sh). If the test_tcp script fails, please install the nping program.
- [Advanced TCP](./allow_tcp_adv.sh): Connects the two namespaces using the firewall service, and allows only specific TCP traffic, specifying ports and flags. In order to test that the configuration succeeded, you can launch the script [test_tcp_adv.sh](./test_tcp_adv.sh). If the test_tcp script fails, please install the nping program.
- [Ping](./allow_ping.sh): Connects the firewall to one of the standard cube's port, and allows only the ICMP echo requests/responses. In order to test that the configuration succeeded, you can launch the script [test_ping.sh](./test_ping.sh).
- [TCP](./allow_tcp.sh): Connects the firewall to one of the standard cube's port, and allows only the TCP traffic. In order to test that the configuration succeeded, you can launch the script [test_tcp.sh](./test_tcp.sh). If the test_tcp script fails, please install the nping program.
- [Advanced TCP](./allow_tcp_adv.sh): Connects the firewall to one of the standard cube's port, and allows only specific TCP traffic, specifying ports and flags. In order to test that the configuration succeeded, you can launch the script [test_tcp_adv.sh](./test_tcp_adv.sh). If the test_tcp script fails, please install the nping program.
- [Append](./use_append.sh): This example is like the Ping one, as the rule set is the same, but it gives an example on how to insert rules at the end of the chain without specifying their ID. At the end of the script, there is already a ping command to test the configuration.
- [Counters](./use_counters.sh): This example is like the Ping one, as the rule set is the same, but it shows how to query and flush the counters. After a ping, that requires two packets matching the rule 0 to be traverse each chain, it executes three different queries to get the statistics. After all queries have been completed, it reset the counters flushing them back to 0.
- [Transactions](./use_transactions.sh): This example is like the Ping one, as the rule set is the same, but it shows how to use transactions instead of the interactive mode. This mode is strongly suggested when more than one rule has to be inserted, like in the example. **For each chain**, after the rules have been inserted, the command `polycubectl firewall fw chain INGRESS apply-rules` (*for the ingress chain*) is issued to apply the rule set, requiring a single interaction with the datapath.
- [Host Mode](./host_mode.sh): This example shows how to use the firewall in the host mode, intercepting the traffic **from the outside to the host**. At the moment it is not possible to intercept traffic in the other direction. This example considers the physical interface connected to the internet.

Please note that some example does not volountarly delete used resources like firewall or network namespace, since a user can play with multiple rules (e.g. allow IP and TCP). Thus, the behaviour of some tests may change depending on the allowed scripts run.

To cleanup the entire environment or only the firewall's rules, refer to the following sections.

## Reset
To reset the firewall's rules, please use the script [reset_firewall.sh](./reset_firewall.sh).

## Cleanup
To cleanup the environment, please use the script [cleanup_env.sh](./cleanup_env.sh).
29 changes: 5 additions & 24 deletions src/services/pcn-firewall/examples/allow_ping.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,13 @@ set -x
# assume polycubed is already running
# sudo polycubed -d

# assume veth1 and veth2 already created and configured
# ./setup_veth.sh
# assume standard cube (br) and firewall (fw) already created and running
# ./setup_env.sh

echo "configure firewall and connect ports"
polycubectl fw chain EGRESS insert l4proto=ICMP src=10.0.0.2/32 dst=10.0.0.1 action=FORWARD

polycubectl firewall add fw

polycubectl firewall fw ports add fw-p1
polycubectl firewall fw ports add fw-p2

polycubectl firewall fw ports fw-p1 set peer=veth1
polycubectl firewall fw ports fw-p2 set peer=veth2


echo "Press any key to set-up rules..."
read

# EGRESS_CHAIN and INGRESS_CHAIN are now considered independently

# veth1 <---- EGRESS ----< veth2
# veth1 >----INGRESS ----> veth2

polycubectl firewall fw chain EGRESS rule add 0 l4proto=ICMP src=10.0.0.2/32 dst=10.0.0.1 action=FORWARD

polycubectl firewall fw chain INGRESS rule add 0 l4proto=ICMP src=10.0.0.1 dst=10.0.0.2 action=FORWARD
polycubectl fw chain INGRESS insert l4proto=ICMP src=10.0.0.1/32 dst=10.0.0.2 action=FORWARD

# ARP packets are allowed by default by firewall policy.

echo "Wait for the rules to be updated, and execute ./test_ping.sh"
echo "Wait for the rules to be updated, and execute ./test_ping.sh"
26 changes: 4 additions & 22 deletions src/services/pcn-firewall/examples/allow_tcp.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,31 +5,13 @@ set -x
# assume polycubed is already running
# sudo polycubed -d

# assume veth1 and veth2 already created and configured
# ./setup_veth.sh

echo "Configure firewall and connect ports"

polycubectl firewall add fw

polycubectl firewall fw ports add fw-p1
polycubectl firewall fw ports add fw-p2

polycubectl firewall fw ports fw-p1 set peer=veth1
polycubectl firewall fw ports fw-p2 set peer=veth2

echo "Press any key to set-up rules..."
read

# EGRESS_CHAIN and INGRESS_CHAIN are now considered independently

# veth1 <---- EGRESS ----< veth2
# veth1 >----INGRESS ----> veth2
# assume standard cube (br) and firewall (fw) already created and running
# ./setup_cube.sh

# allow TCP traffic from/to 10.0.0.0/24

polycubectl firewall fw chain EGRESS rule add 0 l4proto=TCP src=10.0.0.0/24 dst=10.0.0.0/24 action=FORWARD
polycubectl firewall fw chain EGRESS insert l4proto=TCP src=10.0.0.0/24 dst=10.0.0.0/24 action=FORWARD

polycubectl firewall fw chain INGRESS rule add 0 l4proto=TCP src=10.0.0.0/24 dst=10.0.0.0/24 action=FORWARD
polycubectl firewall fw chain INGRESS insert l4proto=TCP src=10.0.0.0/24 dst=10.0.0.0/24 action=FORWARD

echo "Wait for the rules to be updated and launch test_tcp.sh"
30 changes: 6 additions & 24 deletions src/services/pcn-firewall/examples/allow_tcp_adv.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,33 +5,15 @@ set -x
# assume polycubed is already running
# sudo polycubed -d

# assume veth1 and veth2 already created and configured
# ./setup_veth.sh

echo "Configure firewall and connect ports"

polycubectl firewall add fw

polycubectl firewall fw ports add fw-p1
polycubectl firewall fw ports add fw-p2

polycubectl firewall fw ports fw-p1 set peer=veth1
polycubectl firewall fw ports fw-p2 set peer=veth2

echo "Press any key to set-up rules..."
read

# EGRESS_CHAIN and INGRESS_CHAIN are now considered independently

# veth1 <---- EGRESS ----< veth2
# veth1 >----INGRESS ----> veth2
# assume standard cube (br) and firewall (fw) already created and running
# ./setup_env.sh

# allow TCP traffic for test_tcp_adv.sh

polycubectl firewall fw chain EGRESS rule add 0 l4proto=TCP src=10.0.0.0/16 dst=10.0.0.0/16 sport=5678 dport=1234 action=FORWARD tcpflags='SYN, ACK, !RST'
polycubectl firewall fw chain EGRESS rule add 1 l4proto=TCP src=10.0.0.0/16 dst=10.0.0.0/16 sport=5678 dport=1234 action=FORWARD
polycubectl firewall fw chain EGRESS insert l4proto=TCP src=10.0.0.0/16 dst=10.0.0.0/16 sport=5678 dport=1234 action=FORWARD tcpflags='SYN, ACK, !RST'
polycubectl firewall fw chain EGRESS insert l4proto=TCP src=10.0.0.0/16 dst=10.0.0.0/16 sport=5678 dport=1234 action=FORWARD

polycubectl firewall fw chain INGRESS rule add 0 l4proto=TCP src=10.0.0.0/8 dst=10.0.0.0/8 sport=1234 dport=5678 action=FORWARD
polycubectl firewall fw chain INGRESS rule add 1 l4proto=TCP src=10.0.0.0/8 dst=10.0.0.0/8 sport=1234 dport=5678 action=FORWARD tcpflags='SYN, ACK, !RST, !CWR'
polycubectl firewall fw chain INGRESS insert l4proto=TCP src=10.0.0.0/8 dst=10.0.0.0/8 sport=1234 dport=5678 action=FORWARD
polycubectl firewall fw chain INGRESS insert l4proto=TCP src=10.0.0.0/8 dst=10.0.0.0/8 sport=1234 dport=5678 action=FORWARD tcpflags='SYN, ACK, !RST, !CWR'

echo "Wait for the rules to be updated and launch test_tcp_adv.sh"
14 changes: 14 additions & 0 deletions src/services/pcn-firewall/examples/cleanup_env.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/bash
set -x

#Deleting firewall
polycubectl firewall del fw

#Deleting standard cube
polycubectl simplebridge del br

#Deleting namespaces
for i in `seq 1 2`;do
sudo ip link del veth${i}
sudo ip netns del ns${i}
done
41 changes: 24 additions & 17 deletions src/services/pcn-firewall/examples/host_mode.sh
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,44 @@
#!/bin/bash

set -x
#Argument 1 is the physical interface name
if [ $# -ne 1 ];then
echo "No arguments <physical_interface_name> supplied"
exit 1
fi

# assume polycubed is already running
# sudo polycubed -d

# assume veth1 and veth2 already created and configured
# ./setup_veth.sh
# There is no need to run setup_env.sh
# since this example attaches the firewall directly to the physical interface

function fwcleanup {
set +e
polycubectl firewall del fw
polycubectl firewall del fw1
}
trap fwcleanup EXIT

echo -e '\nExample using the host mode \n'
echo -e '\n+++ ONLY the ingress chain is supported at the moment! \n'
echo 'Example using the host mode'

set -e
set -x

polycubectl firewall add fw
polycubectl firewall add fw1

# Attaching the firewall to the physical interface
polycubectl attach fw1 $1

polycubectl firewall fw1 chain INGRESS rule add 0 l4proto=UDP action=FORWARD
polycubectl firewall fw1 chain INGRESS rule add 1 l4proto=ICMP action=FORWARD

# Connecting the host
polycubectl firewall fw ports add to_host
polycubectl firewall fw ports to_host set peer=:host
polycubectl firewall fw1 chain EGRESS rule add 0 l4proto=UDP action=FORWARD
polycubectl firewall fw1 chain EGRESS rule add 1 l4proto=ICMP action=FORWARD

# ++ Replace <physicalInterface> with the physical interface name
polycubectl firewall fw ports add to_ens
polycubectl firewall fw ports to_ens set peer=<physicalInterface>
echo "Press any key to test applied rules"
read

polycubectl firewall fw chain INGRESS rule add 0 l4proto=UDP action=FORWARD
polycubectl firewall fw chain INGRESS rule add 1 l4proto=ICMP action=FORWARD
#Ping allowed
ping -c 2 google.com

#ping
ping www.google.it
#TCP not allowed (no response)
nping -c 2 google.com
11 changes: 11 additions & 0 deletions src/services/pcn-firewall/examples/reset_firewall.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash

set -x

polycubectl fw del

polycubectl firewall add fw

polycubectl attach fw br:port1

echo "Firewall reconfigured"
49 changes: 49 additions & 0 deletions src/services/pcn-firewall/examples/setup_env.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
#! /bin/bash

set -x

# Setup veths. Useful for testing service with linux namespaces.

echo "Configuring network namespaces"

for i in `seq 1 2`;
do
sudo ip netns del ns${i} > /dev/null 2>&1 # remove ns if already existed
sudo ip link del veth${i} > /dev/null 2>&1

sudo ip netns add ns${i}
sudo ip link add veth${i}_ type veth peer name veth${i}
sudo ip link set veth${i}_ netns ns${i}
sudo ip netns exec ns${i} ip link set dev veth${i}_ up
sudo ip link set dev veth${i} up
sudo ip netns exec ns${i} ifconfig veth${i}_ 10.0.0.${i}/24
done

# Setup standard cube (Simplebridge)

echo "Configuring standard cube"

polycubectl br del

polycubectl simplebridge add br

polycubectl simplebridge br ports add port1
polycubectl simplebridge br ports add port2

polycubectl connect br:port1 veth1
polycubectl connect br:port2 veth2

# Creating and attaching Firewall to Simplebridge

echo "Configuring Firewall"

polycubectl fw del

polycubectl firewall add fw

polycubectl attach fw br:port1

# EGRESS_CHAIN and INGRESS_CHAIN are now considered independently

# br:port1 <---- EGRESS ----< br:port2
# br:port1 >----INGRESS ----> br:port2
18 changes: 0 additions & 18 deletions src/services/pcn-firewall/examples/setup_veth.sh
View file

This file was deleted.

2 changes: 1 addition & 1 deletion src/services/pcn-firewall/examples/test_ping.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

# test ping between veth1 and veth2
# test ping between br:port1 and br:port2

sudo ip netns exec ns1 ping 10.0.0.2 -c 2
sudo ip netns exec ns2 ping 10.0.0.1 -c 2
39 changes: 21 additions & 18 deletions src/services/pcn-firewall/examples/use_append.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,35 @@ set -x
# assume polycubed is already running
# sudo polycubed -d

# assume veth1 and veth2 already created and configured
# ./setup_veth.sh
# assume standard cube (br) and firewall (fw) already created and running
# ./setup_env.sh
#
# assume that no other tests have been run, or the result would be different
# (if you have run ./allow_tcp , then the last comamand would not fail)

function fwcleanup {
set +e
polycubectl firewall del fw
}
trap fwcleanup EXIT

echo -e '\nExample appending rules \n'
echo "Example appending rules"

set -e
set -x

polycubectl firewall add fw
polycubectl firewall fw set loglevel=DEBUG
polycubectl firewall fw ports add fw-p1
polycubectl firewall fw ports add fw-p2
polycubectl firewall fw ports fw-p1 set peer=veth1
polycubectl firewall fw ports fw-p2 set peer=veth2

polycubectl firewall fw chain INGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=FORWARD
polycubectl firewall fw chain INGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=TCP action=DROP
# allow ICMP traffic and DROP TCP
# from 10.0.0.1 to 10.0.0.2

polycubectl firewall fw chain INGRESS append src=10.0.0.2 dst=10.0.0.1 l4proto=TCP action=DROP

polycubectl firewall fw chain EGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=TCP action=DROP

polycubectl firewall fw chain EGRESS append src=10.0.0.2/32 dst=10.0.0.1/32 l4proto=ICMP action=FORWARD
polycubectl firewall fw chain INGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=TCP action=DROP
polycubectl fw chain EGRESS append l4proto=ICMP src=10.0.0.2/32 dst=10.0.0.1 action=FORWARD

polycubectl fw chain INGRESS append l4proto=ICMP src=10.0.0.1/32 dst=10.0.0.2 action=FORWARD

echo "Press any key to test applied rules"
read

#ping
sudo ip netns exec ns1 ping 10.0.0.2 -c 2 -w 2

#TCP not allowed (no response)
sudo ip netns exec ns1 nping -c 2 --tcp 10.0.0.2

0 comments on commit b4a128e

Please sign in to comment.