Skip to content
Snippets Groups Projects
Commit 2b6b0b3c authored by Alex Reimers's avatar Alex Reimers
Browse files

FL-82 - Fix logging in Firewall.java.

parent 03910fe9
No related branches found
No related tags found
No related merge requests found
...@@ -453,7 +453,6 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig ...@@ -453,7 +453,6 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
protected boolean IPIsBroadcast(int IPAddress) { protected boolean IPIsBroadcast(int IPAddress) {
// inverted subnet mask // inverted subnet mask
int inv_subnet_mask = ~this.subnet_mask; int inv_subnet_mask = ~this.subnet_mask;
return ((IPAddress & inv_subnet_mask) == inv_subnet_mask); return ((IPAddress & inv_subnet_mask) == inv_subnet_mask);
} }
...@@ -470,11 +469,15 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig ...@@ -470,11 +469,15 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
allowBroadcast = false; allowBroadcast = false;
} }
if (allowBroadcast == true) { if (allowBroadcast == true) {
logger.info("allowing broadcast traffic"); if (logger.isTraceEnabled())
decision = new FirewallDecision(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD); logger.trace("Allowing broadcast traffic for PacketIn={}", pi);
decision = new FirewallDecision(IRoutingDecision.RoutingAction.MULTICAST);
decision.addToContext(cntx); decision.addToContext(cntx);
} else { } else {
logger.info("blocking malformed broadcast traffic"); if (logger.isTraceEnabled())
logger.trace("Blocking malformed broadcast traffic for PacketIn={}", pi);
decision = new FirewallDecision(IRoutingDecision.RoutingAction.DROP); decision = new FirewallDecision(IRoutingDecision.RoutingAction.DROP);
decision.addToContext(cntx); decision.addToContext(cntx);
} }
...@@ -482,40 +485,39 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig ...@@ -482,40 +485,39 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
} }
/* ARP response (unicast) can be let through without filtering through rules by uncommenting the code below */ /* ARP response (unicast) can be let through without filtering through rules by uncommenting the code below */
/* /*
else if (eth.getEtherType() == Ethernet.TYPE_ARP) { else if (eth.getEtherType() == Ethernet.TYPE_ARP) {
logger.info("allowing ARP traffic"); logger.info("allowing ARP traffic");
decision = new FirewallDecision(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD); decision = new FirewallDecision(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD);
decision.addToContext(cntx); decision.addToContext(cntx);
return Command.CONTINUE; return Command.CONTINUE;
} }
*/ */
// check if we have a matching rule for this packet/flow // check if we have a matching rule for this packet/flow
// and no decision is taken yet // and no decision is taken yet
if (decision == null) { if (decision == null) {
RuleWildcardsPair match_ret = this.matchWithRule(sw, pi, cntx); RuleWildcardsPair match_ret = this.matchWithRule(sw, pi, cntx);
FirewallRule rule = match_ret.rule; FirewallRule rule = match_ret.rule;
/*if (rule != null) {
String ruleInfo = "priority: " + (new Integer(rule.priority)).toString(); if (rule == null || rule.is_denyrule) {
ruleInfo += ", protocol: " + (new Integer(rule.proto_type)).toString();
ruleInfo += ", deny rule? ";
if (rule.is_denyrule) {
ruleInfo += "yes";
} else {
ruleInfo += "no";
}
logger.info("Rule - {}", ruleInfo);
}*/
if (rule == null || rule.is_denyrule == true) {
decision = new FirewallDecision(IRoutingDecision.RoutingAction.DROP); decision = new FirewallDecision(IRoutingDecision.RoutingAction.DROP);
decision.setWildcards(match_ret.wildcards); decision.setWildcards(match_ret.wildcards);
decision.addToContext(cntx); decision.addToContext(cntx);
logger.info("no firewall rule found to allow this packet/flow, blocking packet/flow"); if (logger.isTraceEnabled()) {
if (rule == null)
logger.trace("No firewall rule found for PacketIn={}, blocking flow",
pi);
else if (rule.is_denyrule) {
logger.trace("Deny rule={} match for PacketIn={}",
rule, pi);
}
}
} else { } else {
decision = new FirewallDecision(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD); decision = new FirewallDecision(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD);
decision.setWildcards(match_ret.wildcards); decision.setWildcards(match_ret.wildcards);
decision.addToContext(cntx); decision.addToContext(cntx);
logger.info("rule matched, allowing traffic"); if (logger.isTraceEnabled())
logger.trace("Allow rule={} match for PacketIn={}", rule, pi);
} }
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment