whitelist control flow goes to deidtect controller rather than directly to the...

whitelist control flow goes to deidtect controller rather than directly to the ryu controller; add cron entry for vm for ids scaling
parent 46df8283
from os import environ
from config import Config
import sys
import binascii
......@@ -34,6 +33,7 @@ NETWORK='networkhelper/'
class deidtect:
def __init__(self,filename):
f = file(filename);
self.whitelistProxy = None;
self.cfg = Config(f);
print self.cfg;
......@@ -52,6 +52,24 @@ class deidtect:
return True;
return False;
def sendRemoteWhiteList(self, rDeidtectIP, dpid, srcip, dstip):
print "Sending Remote DEIDtect Whitelist Request.."
pCmd = "curl -v http://%s:120/deidtect/whitelist/local/\'%s\'/\'%s\'/\'%s\'" \
% (rDeidtectIP, dpid, srcip, dstip);
print pCmd
p = Popen(pCmd, shell=True, stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
print out,err
def sendLocalWhiteList(self, switch, src_ip, dst_ip):
enterpriseControllerIP = self.cfg['RYU_IP']
pCmd = "curl -d \"{ \'dpid\' : \'%s\' , \'ipv4_src\': \'%s\', \'ipv4_dst\':\'%s\' }\" http://%s:8080/v1.0/nettopo/whitelist" % (switch,src_ip, dst_ip, enterpriseControllerIP)
print pCmd
p = Popen(pCmd, shell=True, stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
print out,err
def sendLocalTapReq(self, cmd, switch, port, vlan, traffic=None):
print "Local Tap req sending.."
print "cmd:%s switch:%s port:%d vlan:%d" % (cmd, switch, port, vlan)
......@@ -74,15 +92,13 @@ class deidtect:
def sendRemReq(self, name="test", cmd="add", ryuip='localhost', switch='0000000000000001', port=3,vlan=100,tunid=5):
print "Received Remote request..."
self.sendLocalCloudReq(cmd,name,switch,port,vlan,tunid,ryuip)
self.sendLocalCloudReq(cmd,name,switch,port,vlan,tunid,ryuip,site='remote')
def sendLocalCloudReq(self, cmd, name, switch, port, vlan, tunid,ryuip):
def sendLocalCloudReq(self, cmd, name, switch, port, vlan, tunid,ryuip, site='local'):
print "Local Cloud VM req sending.."
cloudCtrlIP = self.cfg['CLOUD_IP']
if cmd == "add":
pCmd = "curl -v http://%s:123/controllerhelper/\'%s\'/\'%s\'/%d/%d/\'%s\'/\'%s\'" % (cloudCtrlIP,cmd,name,vlan,tunid,switch,ryuip)
pCmd = "curl -v http://%s:123/controllerhelper/\'%s\'/\'%s\'/%d/%d/\'%s\'/\'%s\'/\'%s\'" % (cloudCtrlIP,cmd,name,vlan,tunid,switch,ryuip,site)
else:
pCmd = "curl -v http://%s:123/controllerhelper/\'%s\'/\'%s\'/%d/%d" % (cloudCtrlIP,cmd,name,vlan,tunid)
print pCmd
......@@ -105,15 +121,18 @@ class deidtect:
if self.isLocal():
#follow the order
print "Send local cloud init req to the cloudcontroller"
ryuip = self.cfg['RYU_IP']
self.sendLocalCloudReq(cmd,name,switch,port,vlan,tunid,ryuip)
#ryuip = self.cfg['RYU_IP']
controllerip = socket.gethostbyname(socket.gethostname())
#TODO cloud should know the deidtect controller it should send to
self.sendLocalCloudReq(cmd,name,switch,port,vlan,tunid,controllerip)
print "Sending tap rq to local enterprise controller"
self.sendLocalTapReq(cmd, switch,port,vlan,None);
else:
#follow the order
print "Sending cloud req remote deidtect controller"
ryuip = self.cfg['RYU_IP']
self.sendRemoteDeidTectReq(cmd,name,switch,port,vlan,tunid,ryuip)
#ryuip = self.cfg['RYU_IP']
controllerip = socket.gethostbyname(socket.gethostname())
self.sendRemoteDeidTectReq(cmd,name,switch,port,vlan,tunid,controllerip)
print "Sending tunnel setup req to WAN controller"
self.sendWanReq(cmd, vlan);
print "Sending tap rq to local enterprise controller"
......@@ -122,10 +141,20 @@ class deidtect:
'''
wsgi functions
'''
def get_client_address(environ):
try:
return environ['HTTP_X_FORWARDED_FOR'].split(',')[-1].strip()
except KeyError:
return environ['REMOTE_ADDR']
def sendOK(start_response):
start_response("200 OK", [('Content-type', 'text/plain')])
return ['OK']
def sendText(start_response, responseData):
start_response("200 OK", [('Content-type', 'text/plain')])
return [responseData]
def sendError(start_response):
start_response("404 Not Found", [('Content-type',
'text/plain')])
......@@ -133,6 +162,7 @@ def sendError(start_response):
def networkapp(environ, start_response):
cur_path = environ['PATH_INFO']
print environ
print mapper
print cur_path
result = mapper.match(cur_path)
......@@ -140,7 +170,7 @@ def networkapp(environ, start_response):
if result is not None:
print result
print "called.. %s" % result['action']
return globals()[result['action']](result, start_response)
return globals()[result['action']](result, start_response, environ)
return sendError(start_response)
......@@ -180,10 +210,50 @@ def start_deidtect_server(port):
action='deidtectRemAction',
conditions=dict(method=['GET']))
uri = '/deidtect/whitelist/{site}/{dpid}/{src}/{dst}'
mapper.connect(route_name, uri, controller="home",
action='deidtectWhitelist',
conditions=dict(method=['GET']))
uri = '/deidtect/cpu/{usage}'
mapper.connect(route_name, uri, controller="home",
action='deidtectScaling',
conditions=dict(method=['GET']))
wsgi.server(eventlet.listen((serverip, port)), networkapp)
print "Server : DEIDtect Core Stopped"
def deidtectAction(dic, start_response):
def deidtectScaling(dic, start_response, environ):
print "got whitelist route update"
print dic
usage = dic.get('usage',None)
remoteIP = get_client_address(environ);
print "IDS IP: %s reported : %d usage" % (remoteIP, int(usage))
responseData = 'standalone'
return sendText(start_response, responseData);
def deidtectWhitelist(dic, start_response, environ):
print "got whitelist route update"
print dic
site = dic.get('site',None)
dpid = dic.get('dpid', None)
srcip = dic.get('src', None)
dstip = dic.get('dst', None)
if site == 'local':
d.sendLocalWhiteList(dpid, srcip, dstip);
else:
remoteip = d.whitelistProxy
d.sendRemoteWhiteList(remoteip, dpid, srcip, dstip);
return sendOK(start_response);
def deidtectAction(dic, start_response, environ):
print "got deidtectAction request.."
print dic
cmd = dic.get('cmd',None)
......@@ -201,7 +271,7 @@ def deidtectAction(dic, start_response):
vlan=vlanid, tunid=tunid)
return sendOK(start_response);
def deidtectRemAction(dic, start_response):
def deidtectRemAction(dic, start_response, environ):
cmd = dic.get('cmd',None)
idsname = dic.get('idsname',None)
ryuip = dic.get('ryuip',None)
......@@ -217,13 +287,18 @@ def deidtectRemAction(dic, start_response):
d.sendRemReq(cmd=cmd, name=idsname, ryuip=ryuip, switch=switchdpid, port=port,
vlan=vlanid, tunid=tunid)
remoteIP = get_client_address(environ);
#add the proxy ip
#handling only one remote instance as of now
#extend to have multiple sites as future work!
print "Update the remote IP instance"
d.whitelistProxy = remoteIP
return sendOK(start_response);
if __name__ == '__main__':
opts, args = parseOptions()
d = deidtect(opts.file);
global d;
d = deidtect(opts.file);
start_deidtect_server(120);
#d.sendReq(cmd="add")
#d.sendReq(cmd="del")
from os import environ
from config import Config
import sys
import binascii
......@@ -46,10 +45,10 @@ def wsgiresponder(environ, start_response):
if result is not None:
print result
print "called.. %s" % result['action']
return globals()[result['action']](result, start_response)
return globals()[result['action']](result, start_response, environ)
return sendError(start_response)
def delIDS(dic, start_response):
def delIDS(dic, start_response,environ):
print "got delIDS request.."
name = dic.get('name',None)
vlan = dic.get('vlanid', None)
......@@ -64,7 +63,7 @@ def delIDS(dic, start_response):
return actionIDS(start_response, "del" , name, vlanid, tunid);
def setupIDS(dic, start_response):
def setupIDS(dic, start_response,environ):
print "got setupIDS request.."
name = dic.get('name',None)
......@@ -72,6 +71,7 @@ def setupIDS(dic, start_response):
tun = dic.get('tunid',None)
switchid = dic.get('switch',None)
ryuip = dic.get('ryuip',None)
site = dic.get('site',None)
vlanid = int(vlan)
tunid = int(tun)
......@@ -81,15 +81,16 @@ def setupIDS(dic, start_response):
print tunid
print switchid
print ryuip
print site
return actionIDS(start_response, "add" , name, vlanid, tunid, switchid, ryuip);
return actionIDS(start_response, "add" , name, vlanid, tunid, switchid, ryuip, site);
def actionIDS(start_response, cmd, name, vlan, tunid, switchid=None, ryuip=None):
def actionIDS(start_response, cmd, name, vlan, tunid, switchid=None, ryuip=None, site='local'):
print "performing action.."
if cmd == "add":
dIds.spinUpIDS(0,name, cip=ryuip)
dIds.spinUpIDS(0,name, cip=ryuip, \
site=site)
credentials = get_nova_credentials_v2()
nova_client = Client(**credentials)
......@@ -164,7 +165,7 @@ def start_controller_server(port):
route_name = 'controllerhelper'
print "Server : Controller Helper for DEIDtect Started.."
uri = '/controllerhelper/add/{name}/{vlanid}/{tunid}/{switch}/{ryuip}'
uri = '/controllerhelper/add/{name}/{vlanid}/{tunid}/{switch}/{ryuip}/{site}'
mapper.connect(route_name, uri, controller="home",
action='setupIDS',
conditions=dict(method=['GET']))
......
......@@ -70,7 +70,8 @@ def get_nova_credentials_v2():
return d
def spinUpIDS(mode=0,name='test', cip='localhost', dpid='0000000000000001'):
def spinUpIDS(mode=0,name='test', cip='localhost', dpid='0000000000000001',
site='local'):
setupKeypair();
setupSecGroup()
image = nova_client.images.find(name="brocluster-14.04-x86_64")
......@@ -79,7 +80,7 @@ def spinUpIDS(mode=0,name='test', cip='localhost', dpid='0000000000000001'):
idsnet = nova_client.networks.find(label="test-net-2")
ids_secgroups = ["default","ids"]
nics = [{'net-id': net.id}, {'net-id': idsnet.id}]
initScript.createCloudInitFile(cip, dpid, mode)
initScript.createCloudInitFile(cip, dpid, mode, site)
userdatafile = 'cloud-init.file'
print name
print image
......
......@@ -39,7 +39,7 @@ def delCloudInitFile():
out, err = p.communicate()
return
def createCloudInitFile(cip, dpid, mode):
def createCloudInitFile(cip, dpid, mode, site='local'):
outputfile="/etc/whitelist.cfg"
cmdlist = []
if mode == 0:
......@@ -51,6 +51,8 @@ def createCloudInitFile(cip, dpid, mode):
outputfile))
cmdlist.append("echo \'sudo echo \"SWITCH_DPID: \'%s\'\" >> %s\' >> cloud-init.file" % (dpid,
outputfile))
cmdlist.append("echo \'sudo echo \"SITE: \'%s\'\" >> %s\' >> cloud-init.file" % (site,
outputfile))
cmdlist.append("cat cloud-init.file")
#cmdlist.append("rm cloud-init.file")
for cmd in cmdlist:
......
......@@ -14,11 +14,19 @@ echo "PATH=$PATH:/usr/local/bro/bin" >> ~/.bashrc
ETH1_IP=`ifconfig eth1 2>/dev/null|awk '/inet addr:/ {print $2}'|sed 's/addr://'`
echo "Enable promisc mode"
sudo ifconfig eth1 promisc
echo "disable tcp checksum offloading"
sudo ethtool --offload eth1 rx off tx off
sudo ethtool -k eth1 gso off
echo "Drop all outgoing packets in bro interface"
sudo iptables -A OUTPUT -o eth1 -j DROP
echo "Accept all incoming packets in bro interface"
sudo iptables -A INPUT -i eth1 -j ACCEPT
BRO_CFG_FILE='/usr/local/bro/etc/node.cfg'
mkdir -p /usr/local/bro/etc/
#setup the cron task
SCALE_SCRIPT='/home/ubuntu/idsScale.sh'
crontab -l | { cat; echo "*/5 * * * * $SCALE_SCRIPT"; } | crontab -
#start creating the file conf for 4 instance
echo "[manager]" > $BRO_CFG_FILE
......@@ -29,13 +37,13 @@ echo "" >> $BRO_CFG_FILE
echo "[proxy-0]" >> $BRO_CFG_FILE
echo "type=proxy" >> $BRO_CFG_FILE
echo "host=$ETH1_IP" >> $BRO_CFG_FILE
echo "host=localhost" >> $BRO_CFG_FILE
echo "" >> $BRO_CFG_FILE
echo "[worker-0]" >> $BRO_CFG_FILE
echo "type=worker" >> $BRO_CFG_FILE
echo "host=$ETH1_IP" >> $BRO_CFG_FILE
echo "host=localhost" >> $BRO_CFG_FILE
echo "interface=eth1">> $BRO_CFG_FILE
echo "lb_method=pf_ring" >> $BRO_CFG_FILE
......
......@@ -14,6 +14,9 @@ echo "PATH=$PATH:/usr/local/bro/bin" >> ~/.bashrc
ETH1_IP=`ifconfig eth1 2>/dev/null|awk '/inet addr:/ {print $2}'|sed 's/addr://'`
echo "Enable promisc mode"
sudo ifconfig eth1 promisc
echo "disable tcp checksum offloading"
sudo ethtool --offload eth1 rx off tx off
sudo ethtool -k eth1 gso off
echo "Drop all outgoing packets in bro interface"
sudo iptables -A OUTPUT -o eth1 -j DROP
echo "Accept all incoming packets in bro interface"
......@@ -21,6 +24,10 @@ sudo iptables -A INPUT -i eth1 -j ACCEPT
BRO_CFG_FILE='/usr/local/bro/etc/node.cfg'
mkdir -p /usr/local/bro/etc/
#setup the cron task
SCALE_SCRIPT='/home/ubuntu/idsScale.sh'
crontab -l | { cat; echo "*/5 * * * * $SCALE_SCRIPT"; } | crontab -
#start creating the file conf for 4 instance
echo "[bro]" > $BRO_CFG_FILE
echo "type=standalone" >> $BRO_CFG_FILE
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment