diff --git a/Documentation/tutorials/tutorial4/tutorial4.rst b/Documentation/tutorials/tutorial4/tutorial4.rst index 4fe26fb4f..1e0d930ac 100644 --- a/Documentation/tutorials/tutorial4/tutorial4.rst +++ b/Documentation/tutorials/tutorial4/tutorial4.rst @@ -1,4 +1,4 @@ -Tutorial 4: Attach/Detatch multiple transparent cubes +Tutorial 4: Attach multiple transparent cubes ============================================================= This simple tutorial aims to show how multiple cubes can be attached to the same interface/port. For the sake of semplicity the configuration presented in this tutorial is really simple, but enough to undestand the principle behind these operations. diff --git a/src/services/pcn-firewall/examples/README.md b/src/services/pcn-firewall/examples/README.md index 0327d053e..686292d32 100644 --- a/src/services/pcn-firewall/examples/README.md +++ b/src/services/pcn-firewall/examples/README.md @@ -2,13 +2,24 @@ The example folder contains a set of simple scripts to understand how the firewall service and cli works. ## Prerequisites -All scripts assume that polycubed has been already launched, and that there are two namespaces already created and configured. To create the namespaces, please execute the script [setup_veth.sh](./setup_veth.sh). +All scripts assume that polycubed has been already launched, and that there is a standard cube running with two ports belonging to two namespaces already created and configured. Moreover, a firewall instance should be running and attached to one of the standard cube's port. +To set up all the needed components, please execute the script [setup_env.sh](./setup_env.sh). ## Examples: -- [Ping](./allow_ping.sh): Connects the two namespaces using the firewall service, and allows only the ICMP echo requests/responses. In order to test that the configuration succeeded, you can launch the script [test_ping.sh](./test_ping.sh). -- [TCP](./allow_tcp.sh): Connects the two namespaces using the firewall service, and allows only the TCP traffic. In order to test that the configuration succeeded, you can launch the script [test_tcp.sh](./test_tcp.sh). If the test_tcp script fails, please install the nping program. -- [Advanced TCP](./allow_tcp_adv.sh): Connects the two namespaces using the firewall service, and allows only specific TCP traffic, specifying ports and flags. In order to test that the configuration succeeded, you can launch the script [test_tcp_adv.sh](./test_tcp_adv.sh). If the test_tcp script fails, please install the nping program. +- [Ping](./allow_ping.sh): Connects the firewall to one of the standard cube's port, and allows only the ICMP echo requests/responses. In order to test that the configuration succeeded, you can launch the script [test_ping.sh](./test_ping.sh). +- [TCP](./allow_tcp.sh): Connects the firewall to one of the standard cube's port, and allows only the TCP traffic. In order to test that the configuration succeeded, you can launch the script [test_tcp.sh](./test_tcp.sh). If the test_tcp script fails, please install the nping program. +- [Advanced TCP](./allow_tcp_adv.sh): Connects the firewall to one of the standard cube's port, and allows only specific TCP traffic, specifying ports and flags. In order to test that the configuration succeeded, you can launch the script [test_tcp_adv.sh](./test_tcp_adv.sh). If the test_tcp script fails, please install the nping program. - [Append](./use_append.sh): This example is like the Ping one, as the rule set is the same, but it gives an example on how to insert rules at the end of the chain without specifying their ID. At the end of the script, there is already a ping command to test the configuration. - [Counters](./use_counters.sh): This example is like the Ping one, as the rule set is the same, but it shows how to query and flush the counters. After a ping, that requires two packets matching the rule 0 to be traverse each chain, it executes three different queries to get the statistics. After all queries have been completed, it reset the counters flushing them back to 0. - [Transactions](./use_transactions.sh): This example is like the Ping one, as the rule set is the same, but it shows how to use transactions instead of the interactive mode. This mode is strongly suggested when more than one rule has to be inserted, like in the example. **For each chain**, after the rules have been inserted, the command `polycubectl firewall fw chain INGRESS apply-rules` (*for the ingress chain*) is issued to apply the rule set, requiring a single interaction with the datapath. - [Host Mode](./host_mode.sh): This example shows how to use the firewall in the host mode, intercepting the traffic **from the outside to the host**. At the moment it is not possible to intercept traffic in the other direction. This example considers the physical interface connected to the internet. + +Please note that some example does not volountarly delete used resources like firewall or network namespace, since a user can play with multiple rules (e.g. allow IP and TCP). Thus, the behaviour of some tests may change depending on the allowed scripts run. + +To cleanup the entire environment or only the firewall's rules, refer to the following sections. + +## Reset +To reset the firewall's rules, please use the script [reset_firewall.sh](./reset_firewall.sh). + +## Cleanup + To cleanup the environment, please use the script [cleanup_env.sh](./cleanup_env.sh). \ No newline at end of file diff --git a/src/services/pcn-firewall/examples/allow_ping.sh b/src/services/pcn-firewall/examples/allow_ping.sh index 640ceec2e..fd4ce1d95 100755 --- a/src/services/pcn-firewall/examples/allow_ping.sh +++ b/src/services/pcn-firewall/examples/allow_ping.sh @@ -5,32 +5,13 @@ set -x # assume polycubed is already running # sudo polycubed -d -# assume veth1 and veth2 already created and configured -# ./setup_veth.sh +# assume standard cube (br) and firewall (fw) already created and running +# ./setup_env.sh -echo "configure firewall and connect ports" +polycubectl fw chain EGRESS insert l4proto=ICMP src=10.0.0.2/32 dst=10.0.0.1 action=FORWARD -polycubectl firewall add fw - -polycubectl firewall fw ports add fw-p1 -polycubectl firewall fw ports add fw-p2 - -polycubectl firewall fw ports fw-p1 set peer=veth1 -polycubectl firewall fw ports fw-p2 set peer=veth2 - - -echo "Press any key to set-up rules..." -read - -# EGRESS_CHAIN and INGRESS_CHAIN are now considered independently - -# veth1 <---- EGRESS ----< veth2 -# veth1 >----INGRESS ----> veth2 - -polycubectl firewall fw chain EGRESS rule add 0 l4proto=ICMP src=10.0.0.2/32 dst=10.0.0.1 action=FORWARD - -polycubectl firewall fw chain INGRESS rule add 0 l4proto=ICMP src=10.0.0.1 dst=10.0.0.2 action=FORWARD +polycubectl fw chain INGRESS insert l4proto=ICMP src=10.0.0.1/32 dst=10.0.0.2 action=FORWARD # ARP packets are allowed by default by firewall policy. -echo "Wait for the rules to be updated, and execute ./test_ping.sh" +echo "Wait for the rules to be updated, and execute ./test_ping.sh" \ No newline at end of file diff --git a/src/services/pcn-firewall/examples/allow_tcp.sh b/src/services/pcn-firewall/examples/allow_tcp.sh index c8eaafa1b..87be8e302 100755 --- a/src/services/pcn-firewall/examples/allow_tcp.sh +++ b/src/services/pcn-firewall/examples/allow_tcp.sh @@ -5,31 +5,13 @@ set -x # assume polycubed is already running # sudo polycubed -d -# assume veth1 and veth2 already created and configured -# ./setup_veth.sh - -echo "Configure firewall and connect ports" - -polycubectl firewall add fw - -polycubectl firewall fw ports add fw-p1 -polycubectl firewall fw ports add fw-p2 - -polycubectl firewall fw ports fw-p1 set peer=veth1 -polycubectl firewall fw ports fw-p2 set peer=veth2 - -echo "Press any key to set-up rules..." -read - -# EGRESS_CHAIN and INGRESS_CHAIN are now considered independently - -# veth1 <---- EGRESS ----< veth2 -# veth1 >----INGRESS ----> veth2 +# assume standard cube (br) and firewall (fw) already created and running +# ./setup_cube.sh # allow TCP traffic from/to 10.0.0.0/24 -polycubectl firewall fw chain EGRESS rule add 0 l4proto=TCP src=10.0.0.0/24 dst=10.0.0.0/24 action=FORWARD +polycubectl firewall fw chain EGRESS insert l4proto=TCP src=10.0.0.0/24 dst=10.0.0.0/24 action=FORWARD -polycubectl firewall fw chain INGRESS rule add 0 l4proto=TCP src=10.0.0.0/24 dst=10.0.0.0/24 action=FORWARD +polycubectl firewall fw chain INGRESS insert l4proto=TCP src=10.0.0.0/24 dst=10.0.0.0/24 action=FORWARD echo "Wait for the rules to be updated and launch test_tcp.sh" diff --git a/src/services/pcn-firewall/examples/allow_tcp_adv.sh b/src/services/pcn-firewall/examples/allow_tcp_adv.sh index 5eb36588f..0f9556a09 100755 --- a/src/services/pcn-firewall/examples/allow_tcp_adv.sh +++ b/src/services/pcn-firewall/examples/allow_tcp_adv.sh @@ -5,33 +5,15 @@ set -x # assume polycubed is already running # sudo polycubed -d -# assume veth1 and veth2 already created and configured -# ./setup_veth.sh - -echo "Configure firewall and connect ports" - -polycubectl firewall add fw - -polycubectl firewall fw ports add fw-p1 -polycubectl firewall fw ports add fw-p2 - -polycubectl firewall fw ports fw-p1 set peer=veth1 -polycubectl firewall fw ports fw-p2 set peer=veth2 - -echo "Press any key to set-up rules..." -read - -# EGRESS_CHAIN and INGRESS_CHAIN are now considered independently - -# veth1 <---- EGRESS ----< veth2 -# veth1 >----INGRESS ----> veth2 +# assume standard cube (br) and firewall (fw) already created and running +# ./setup_env.sh # allow TCP traffic for test_tcp_adv.sh -polycubectl firewall fw chain EGRESS rule add 0 l4proto=TCP src=10.0.0.0/16 dst=10.0.0.0/16 sport=5678 dport=1234 action=FORWARD tcpflags='SYN, ACK, !RST' -polycubectl firewall fw chain EGRESS rule add 1 l4proto=TCP src=10.0.0.0/16 dst=10.0.0.0/16 sport=5678 dport=1234 action=FORWARD +polycubectl firewall fw chain EGRESS insert l4proto=TCP src=10.0.0.0/16 dst=10.0.0.0/16 sport=5678 dport=1234 action=FORWARD tcpflags='SYN, ACK, !RST' +polycubectl firewall fw chain EGRESS insert l4proto=TCP src=10.0.0.0/16 dst=10.0.0.0/16 sport=5678 dport=1234 action=FORWARD -polycubectl firewall fw chain INGRESS rule add 0 l4proto=TCP src=10.0.0.0/8 dst=10.0.0.0/8 sport=1234 dport=5678 action=FORWARD -polycubectl firewall fw chain INGRESS rule add 1 l4proto=TCP src=10.0.0.0/8 dst=10.0.0.0/8 sport=1234 dport=5678 action=FORWARD tcpflags='SYN, ACK, !RST, !CWR' +polycubectl firewall fw chain INGRESS insert l4proto=TCP src=10.0.0.0/8 dst=10.0.0.0/8 sport=1234 dport=5678 action=FORWARD +polycubectl firewall fw chain INGRESS insert l4proto=TCP src=10.0.0.0/8 dst=10.0.0.0/8 sport=1234 dport=5678 action=FORWARD tcpflags='SYN, ACK, !RST, !CWR' echo "Wait for the rules to be updated and launch test_tcp_adv.sh" diff --git a/src/services/pcn-firewall/examples/cleanup_env.sh b/src/services/pcn-firewall/examples/cleanup_env.sh new file mode 100755 index 000000000..ae5f3dce3 --- /dev/null +++ b/src/services/pcn-firewall/examples/cleanup_env.sh @@ -0,0 +1,14 @@ +#!/bin/bash +set -x + +#Deleting firewall +polycubectl firewall del fw + +#Deleting standard cube +polycubectl simplebridge del br + +#Deleting namespaces +for i in `seq 1 2`;do + sudo ip link del veth${i} + sudo ip netns del ns${i} +done \ No newline at end of file diff --git a/src/services/pcn-firewall/examples/host_mode.sh b/src/services/pcn-firewall/examples/host_mode.sh index 40cf47209..56e8a08a3 100755 --- a/src/services/pcn-firewall/examples/host_mode.sh +++ b/src/services/pcn-firewall/examples/host_mode.sh @@ -1,37 +1,44 @@ #!/bin/bash -set -x +#Argument 1 is the physical interface name +if [ $# -ne 1 ];then + echo "No arguments supplied" + exit 1 +fi # assume polycubed is already running # sudo polycubed -d -# assume veth1 and veth2 already created and configured -# ./setup_veth.sh +# There is no need to run setup_env.sh +# since this example attaches the firewall directly to the physical interface function fwcleanup { set +e - polycubectl firewall del fw + polycubectl firewall del fw1 } trap fwcleanup EXIT -echo -e '\nExample using the host mode \n' -echo -e '\n+++ ONLY the ingress chain is supported at the moment! \n' +echo 'Example using the host mode' set -e set -x -polycubectl firewall add fw +polycubectl firewall add fw1 + +# Attaching the firewall to the physical interface +polycubectl attach fw1 $1 + +polycubectl firewall fw1 chain INGRESS rule add 0 l4proto=UDP action=FORWARD +polycubectl firewall fw1 chain INGRESS rule add 1 l4proto=ICMP action=FORWARD -# Connecting the host -polycubectl firewall fw ports add to_host -polycubectl firewall fw ports to_host set peer=:host +polycubectl firewall fw1 chain EGRESS rule add 0 l4proto=UDP action=FORWARD +polycubectl firewall fw1 chain EGRESS rule add 1 l4proto=ICMP action=FORWARD -# ++ Replace with the physical interface name -polycubectl firewall fw ports add to_ens -polycubectl firewall fw ports to_ens set peer= +echo "Press any key to test applied rules" +read -polycubectl firewall fw chain INGRESS rule add 0 l4proto=UDP action=FORWARD -polycubectl firewall fw chain INGRESS rule add 1 l4proto=ICMP action=FORWARD +#Ping allowed +ping -c 2 google.com -#ping -ping www.google.it +#TCP not allowed (no response) +nping -c 2 google.com diff --git a/src/services/pcn-firewall/examples/reset_firewall.sh b/src/services/pcn-firewall/examples/reset_firewall.sh new file mode 100755 index 000000000..78208d536 --- /dev/null +++ b/src/services/pcn-firewall/examples/reset_firewall.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +set -x + +polycubectl fw del + +polycubectl firewall add fw + +polycubectl attach fw br:port1 + +echo "Firewall reconfigured" diff --git a/src/services/pcn-firewall/examples/setup_env.sh b/src/services/pcn-firewall/examples/setup_env.sh new file mode 100755 index 000000000..628975112 --- /dev/null +++ b/src/services/pcn-firewall/examples/setup_env.sh @@ -0,0 +1,49 @@ +#! /bin/bash + +set -x + +# Setup veths. Useful for testing service with linux namespaces. + +echo "Configuring network namespaces" + +for i in `seq 1 2`; +do + sudo ip netns del ns${i} > /dev/null 2>&1 # remove ns if already existed + sudo ip link del veth${i} > /dev/null 2>&1 + + sudo ip netns add ns${i} + sudo ip link add veth${i}_ type veth peer name veth${i} + sudo ip link set veth${i}_ netns ns${i} + sudo ip netns exec ns${i} ip link set dev veth${i}_ up + sudo ip link set dev veth${i} up + sudo ip netns exec ns${i} ifconfig veth${i}_ 10.0.0.${i}/24 +done + +# Setup standard cube (Simplebridge) + +echo "Configuring standard cube" + +polycubectl br del + +polycubectl simplebridge add br + +polycubectl simplebridge br ports add port1 +polycubectl simplebridge br ports add port2 + +polycubectl connect br:port1 veth1 +polycubectl connect br:port2 veth2 + +# Creating and attaching Firewall to Simplebridge + +echo "Configuring Firewall" + +polycubectl fw del + +polycubectl firewall add fw + +polycubectl attach fw br:port1 + +# EGRESS_CHAIN and INGRESS_CHAIN are now considered independently + +# br:port1 <---- EGRESS ----< br:port2 +# br:port1 >----INGRESS ----> br:port2 diff --git a/src/services/pcn-firewall/examples/setup_veth.sh b/src/services/pcn-firewall/examples/setup_veth.sh deleted file mode 100755 index fd2617b25..000000000 --- a/src/services/pcn-firewall/examples/setup_veth.sh +++ /dev/null @@ -1,18 +0,0 @@ -#! /bin/bash - -set -x - -# Setup veths. Useful for testing service with linux namespaces. - -for i in `seq 1 2`; -do - sudo ip netns del ns${i} > /dev/null 2>&1 # remove ns if already existed - sudo ip link del veth${i} > /dev/null 2>&1 - - sudo ip netns add ns${i} - sudo ip link add veth${i}_ type veth peer name veth${i} - sudo ip link set veth${i}_ netns ns${i} - sudo ip netns exec ns${i} ip link set dev veth${i}_ up - sudo ip link set dev veth${i} up - sudo ip netns exec ns${i} ifconfig veth${i}_ 10.0.0.${i}/24 -done diff --git a/src/services/pcn-firewall/examples/test_ping.sh b/src/services/pcn-firewall/examples/test_ping.sh index 59ac2d62c..d80dfaf6b 100755 --- a/src/services/pcn-firewall/examples/test_ping.sh +++ b/src/services/pcn-firewall/examples/test_ping.sh @@ -1,6 +1,6 @@ #!/bin/bash -# test ping between veth1 and veth2 +# test ping between br:port1 and br:port2 sudo ip netns exec ns1 ping 10.0.0.2 -c 2 sudo ip netns exec ns2 ping 10.0.0.1 -c 2 diff --git a/src/services/pcn-firewall/examples/use_append.sh b/src/services/pcn-firewall/examples/use_append.sh index a68aca240..f54855429 100755 --- a/src/services/pcn-firewall/examples/use_append.sh +++ b/src/services/pcn-firewall/examples/use_append.sh @@ -5,32 +5,35 @@ set -x # assume polycubed is already running # sudo polycubed -d -# assume veth1 and veth2 already created and configured -# ./setup_veth.sh +# assume standard cube (br) and firewall (fw) already created and running +# ./setup_env.sh +# +# assume that no other tests have been run, or the result would be different +# (if you have run ./allow_tcp , then the last comamand would not fail) -function fwcleanup { - set +e - polycubectl firewall del fw -} -trap fwcleanup EXIT - -echo -e '\nExample appending rules \n' +echo "Example appending rules" set -e set -x -polycubectl firewall add fw polycubectl firewall fw set loglevel=DEBUG -polycubectl firewall fw ports add fw-p1 -polycubectl firewall fw ports add fw-p2 -polycubectl firewall fw ports fw-p1 set peer=veth1 -polycubectl firewall fw ports fw-p2 set peer=veth2 -polycubectl firewall fw chain INGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=FORWARD -polycubectl firewall fw chain INGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=TCP action=DROP +# allow ICMP traffic and DROP TCP +# from 10.0.0.1 to 10.0.0.2 + +polycubectl firewall fw chain INGRESS append src=10.0.0.2 dst=10.0.0.1 l4proto=TCP action=DROP + +polycubectl firewall fw chain EGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=TCP action=DROP -polycubectl firewall fw chain EGRESS append src=10.0.0.2/32 dst=10.0.0.1/32 l4proto=ICMP action=FORWARD -polycubectl firewall fw chain INGRESS append src=10.0.0.1 dst=10.0.0.2 l4proto=TCP action=DROP +polycubectl fw chain EGRESS append l4proto=ICMP src=10.0.0.2/32 dst=10.0.0.1 action=FORWARD + +polycubectl fw chain INGRESS append l4proto=ICMP src=10.0.0.1/32 dst=10.0.0.2 action=FORWARD + +echo "Press any key to test applied rules" +read #ping sudo ip netns exec ns1 ping 10.0.0.2 -c 2 -w 2 + +#TCP not allowed (no response) +sudo ip netns exec ns1 nping -c 2 --tcp 10.0.0.2 diff --git a/src/services/pcn-firewall/examples/use_counters.sh b/src/services/pcn-firewall/examples/use_counters.sh index 1bf0c204f..cf4255eb6 100755 --- a/src/services/pcn-firewall/examples/use_counters.sh +++ b/src/services/pcn-firewall/examples/use_counters.sh @@ -1,29 +1,21 @@ #!/bin/bash +set -x + # assume polycubed is already running # sudo polycubed -d -# assume veth1 and veth2 already created and configured -# ./setup_veth.sh - -function fwcleanup { - set +e - polycubectl firewall del fw -} -trap fwcleanup EXIT - -echo -e '\Example showing counters \n' +# assume standard cube (br) and firewall (fw) already created and running +# ./setup_env.sh -set -x set -e +set -x + +echo 'Example showing counters' -polycubectl firewall add fw polycubectl firewall fw set loglevel=OFF -polycubectl firewall fw ports add fw-p1 -polycubectl firewall fw ports add fw-p2 -polycubectl firewall fw ports fw-p1 set peer=veth1 -polycubectl firewall fw ports fw-p2 set peer=veth2 +#add rule to allow ping polycubectl firewall fw chain INGRESS rule add 0 src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=FORWARD polycubectl firewall fw chain EGRESS rule add 0 src=10.0.0.2/32 dst=10.0.0.1/32 l4proto=ICMP action=FORWARD diff --git a/src/services/pcn-firewall/examples/use_transactions.sh b/src/services/pcn-firewall/examples/use_transactions.sh index 7d7153937..2adff9b5a 100755 --- a/src/services/pcn-firewall/examples/use_transactions.sh +++ b/src/services/pcn-firewall/examples/use_transactions.sh @@ -5,26 +5,14 @@ set -x # assume polycubed is already running # sudo polycubed -d -# assume veth1 and veth2 already created and configured -# ./setup_veth.sh +# assume standard cube (br) and firewall (fw) already created and running +# ./setup_env.sh -function fwcleanup { - set +e - polycubectl firewall del fw -} -trap fwcleanup EXIT - -echo -e '\nExample using transactions \n' +echo 'Example using transactions' set -e set -x -polycubectl firewall add fw -polycubectl firewall fw ports add fw-p1 -polycubectl firewall fw ports add fw-p2 -polycubectl firewall fw ports fw-p1 set peer=veth1 -polycubectl firewall fw ports fw-p2 set peer=veth2 - echo 'Activating the transaction mode' polycubectl firewall fw set interactive=false