Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
F
floodlight
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
croft1
floodlight
Commits
2b6b0b3c
Commit
2b6b0b3c
authored
12 years ago
by
Alex Reimers
Browse files
Options
Downloads
Patches
Plain Diff
FL-82 - Fix logging in Firewall.java.
parent
03910fe9
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
src/main/java/net/floodlightcontroller/firewall/Firewall.java
+27
-25
27 additions, 25 deletions
...main/java/net/floodlightcontroller/firewall/Firewall.java
with
27 additions
and
25 deletions
src/main/java/net/floodlightcontroller/firewall/Firewall.java
+
27
−
25
View file @
2b6b0b3c
...
@@ -453,7 +453,6 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
...
@@ -453,7 +453,6 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
protected
boolean
IPIsBroadcast
(
int
IPAddress
)
{
protected
boolean
IPIsBroadcast
(
int
IPAddress
)
{
// inverted subnet mask
// inverted subnet mask
int
inv_subnet_mask
=
~
this
.
subnet_mask
;
int
inv_subnet_mask
=
~
this
.
subnet_mask
;
return
((
IPAddress
&
inv_subnet_mask
)
==
inv_subnet_mask
);
return
((
IPAddress
&
inv_subnet_mask
)
==
inv_subnet_mask
);
}
}
...
@@ -470,11 +469,15 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
...
@@ -470,11 +469,15 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
allowBroadcast
=
false
;
allowBroadcast
=
false
;
}
}
if
(
allowBroadcast
==
true
)
{
if
(
allowBroadcast
==
true
)
{
logger
.
info
(
"allowing broadcast traffic"
);
if
(
logger
.
isTraceEnabled
())
decision
=
new
FirewallDecision
(
IRoutingDecision
.
RoutingAction
.
FORWARD_OR_FLOOD
);
logger
.
trace
(
"Allowing broadcast traffic for PacketIn={}"
,
pi
);
decision
=
new
FirewallDecision
(
IRoutingDecision
.
RoutingAction
.
MULTICAST
);
decision
.
addToContext
(
cntx
);
decision
.
addToContext
(
cntx
);
}
else
{
}
else
{
logger
.
info
(
"blocking malformed broadcast traffic"
);
if
(
logger
.
isTraceEnabled
())
logger
.
trace
(
"Blocking malformed broadcast traffic for PacketIn={}"
,
pi
);
decision
=
new
FirewallDecision
(
IRoutingDecision
.
RoutingAction
.
DROP
);
decision
=
new
FirewallDecision
(
IRoutingDecision
.
RoutingAction
.
DROP
);
decision
.
addToContext
(
cntx
);
decision
.
addToContext
(
cntx
);
}
}
...
@@ -482,40 +485,39 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
...
@@ -482,40 +485,39 @@ public class Firewall implements IFirewallService, IOFMessageListener, IFloodlig
}
}
/* ARP response (unicast) can be let through without filtering through rules by uncommenting the code below */
/* ARP response (unicast) can be let through without filtering through rules by uncommenting the code below */
/*
/*
else if (eth.getEtherType() == Ethernet.TYPE_ARP) {
else if (eth.getEtherType() == Ethernet.TYPE_ARP) {
logger.info("allowing ARP traffic");
logger.info("allowing ARP traffic");
decision = new FirewallDecision(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD);
decision = new FirewallDecision(IRoutingDecision.RoutingAction.FORWARD_OR_FLOOD);
decision.addToContext(cntx);
decision.addToContext(cntx);
return Command.CONTINUE;
return Command.CONTINUE;
}
}
*/
*/
// check if we have a matching rule for this packet/flow
// check if we have a matching rule for this packet/flow
// and no decision is taken yet
// and no decision is taken yet
if
(
decision
==
null
)
{
if
(
decision
==
null
)
{
RuleWildcardsPair
match_ret
=
this
.
matchWithRule
(
sw
,
pi
,
cntx
);
RuleWildcardsPair
match_ret
=
this
.
matchWithRule
(
sw
,
pi
,
cntx
);
FirewallRule
rule
=
match_ret
.
rule
;
FirewallRule
rule
=
match_ret
.
rule
;
/*if (rule != null) {
String ruleInfo = "priority: " + (new Integer(rule.priority)).toString();
if
(
rule
==
null
||
rule
.
is_denyrule
)
{
ruleInfo += ", protocol: " + (new Integer(rule.proto_type)).toString();
ruleInfo += ", deny rule? ";
if (rule.is_denyrule) {
ruleInfo += "yes";
} else {
ruleInfo += "no";
}
logger.info("Rule - {}", ruleInfo);
}*/
if
(
rule
==
null
||
rule
.
is_denyrule
==
true
)
{
decision
=
new
FirewallDecision
(
IRoutingDecision
.
RoutingAction
.
DROP
);
decision
=
new
FirewallDecision
(
IRoutingDecision
.
RoutingAction
.
DROP
);
decision
.
setWildcards
(
match_ret
.
wildcards
);
decision
.
setWildcards
(
match_ret
.
wildcards
);
decision
.
addToContext
(
cntx
);
decision
.
addToContext
(
cntx
);
logger
.
info
(
"no firewall rule found to allow this packet/flow, blocking packet/flow"
);
if
(
logger
.
isTraceEnabled
())
{
if
(
rule
==
null
)
logger
.
trace
(
"No firewall rule found for PacketIn={}, blocking flow"
,
pi
);
else
if
(
rule
.
is_denyrule
)
{
logger
.
trace
(
"Deny rule={} match for PacketIn={}"
,
rule
,
pi
);
}
}
}
else
{
}
else
{
decision
=
new
FirewallDecision
(
IRoutingDecision
.
RoutingAction
.
FORWARD_OR_FLOOD
);
decision
=
new
FirewallDecision
(
IRoutingDecision
.
RoutingAction
.
FORWARD_OR_FLOOD
);
decision
.
setWildcards
(
match_ret
.
wildcards
);
decision
.
setWildcards
(
match_ret
.
wildcards
);
decision
.
addToContext
(
cntx
);
decision
.
addToContext
(
cntx
);
logger
.
info
(
"rule matched, allowing traffic"
);
if
(
logger
.
isTraceEnabled
())
logger
.
trace
(
"Allow rule={} match for PacketIn={}"
,
rule
,
pi
);
}
}
}
}
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment