You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
504 lines
18 KiB
504 lines
18 KiB
from __future__ import unicode_literals |
|
|
|
import nnpy |
|
import struct |
|
|
|
from p4utils.utils.topology import Topology |
|
from p4utils.utils.sswitch_API import SimpleSwitchAPI |
|
|
|
from scapy.all import * |
|
from scapy.data import ETHER_TYPES |
|
|
|
import sys |
|
import re |
|
|
|
import logging |
|
import argparse |
|
import subprocess |
|
|
|
import ipaddress |
|
|
|
logging.basicConfig() |
|
log = logging.getLogger("main") |
|
|
|
|
|
cpu_fields = { |
|
0: 'UNSET', |
|
1: 'ICMP6_NS', |
|
2: 'ICMP6_GENERAL', |
|
3: 'DEBUG' |
|
} |
|
|
|
table_id_fields = { |
|
0: 'UNSET_TABLE', |
|
1: 'TABLE_NAT64', |
|
2: 'TABLE_ICMP6', |
|
3: 'TABLE_V6_NETWORKS', |
|
4: 'TABLE_NAT46', |
|
5: 'TABLE_V4_NETWORKS' |
|
} |
|
|
|
table_proto = { |
|
'ICMP6_ECHO_REQUEST' : 128, |
|
'ICMP6_ECHO_REPLY' : 129, |
|
'ICMP6_NS' : 135, |
|
'ICMP6_NA' : 136, |
|
'ICMP_ECHO_REPLY' : 0, |
|
'ICMP_ECHO_REQUEST' : 8 |
|
} |
|
|
|
|
|
|
|
class CpuHeader(Packet): |
|
name = 'CpuPacket' |
|
fields_desc = [ |
|
ShortEnumField('task', 1, cpu_fields ), |
|
ShortField('ingress_port', 0), |
|
XShortEnumField("type", 0x9000, ETHER_TYPES), |
|
ShortEnumField('table_id', 1, table_id_fields ) |
|
] |
|
|
|
|
|
class L2Controller(object): |
|
def __init__(self, sw_name): |
|
# Command line mapping |
|
self.modes = ['base', 'router', "range_router" ] |
|
|
|
# Reverse maps the cpu header |
|
self.task = dict(reversed(item) for item in cpu_fields.items()) |
|
|
|
self.info={} |
|
|
|
# https://en.wikipedia.org/wiki/Solicited-node_multicast_address |
|
self.info['ndp_multicast'] = ipaddress.ip_network("ff02::1:ff00:0/104") |
|
self.info['mac_addr'] = "00:00:0a:00:00:42" |
|
self.info['ipv6_link_local'] = ipaddress.ip_address("fe80::200:aff:fe00:42") |
|
|
|
self.info['v6_mask'] = 64 |
|
self.info['v6_nat64_mask'] = 96 |
|
self.info['v6_base'] = ipaddress.ip_network("2001:db8::/32") |
|
|
|
self.info['v6_base_hostnet'] = ipaddress.ip_network("2001:db8::/48") |
|
self.info['v6_gen'] = self.info['v6_base_hostnet'].subnets(new_prefix=self.info['v6_mask']) |
|
|
|
# possible new range for NAT64 prefixes |
|
self.info['v6_nat64_base'] = ipaddress.ip_network("2001:db8:1::/48") |
|
|
|
# We reserve /64 (easier for reading), but only use /96 |
|
self.info['v6_nat64_gen'] = self.info['v6_nat64_base'].subnets(new_prefix=self.info['v6_mask']) |
|
|
|
self.info['v4_mask'] = 24 |
|
self.info['v4_base'] = ipaddress.ip_network("10.0.0.0/8") |
|
self.info['v4_gen'] = self.info['v4_base'].subnets(new_prefix=self.info['v4_mask']) |
|
|
|
self.info['v4_nat64_base'] = ipaddress.ip_network("10.1.0.0/16") |
|
self.info['v4_nat64_map'] = self.info['v4_nat64_base'].subnets(new_prefix=self.info['v4_mask']) |
|
|
|
self.info['switch_suffix'] = 0x42 |
|
self.info['nat64_prefix'] = ipaddress.ip_network("64:ff9b::/96") |
|
|
|
self.v6_routes = {} |
|
self.v6_routes[None] = [] |
|
self.v6_routes['base'] = [] |
|
|
|
self.ports = [] |
|
|
|
for port in range(1,3): |
|
net = self.info['v6_gen'].next() |
|
self.v6_routes['base'].append({ |
|
"net": net, |
|
"port": port} |
|
) |
|
self.ports.append(port) |
|
|
|
self.v6_routes['router'] = self.v6_routes['base'] |
|
|
|
# only 1 route to avoid table duplicate/conflict |
|
self.v6_routes['range_router'] = self.v6_routes['base'][0:1] |
|
|
|
self.v4_routes = {} |
|
self.v4_routes[None] = [] |
|
self.v4_routes['base'] = [] |
|
for port in range(3,5): |
|
net = self.info['v4_gen'].next() |
|
self.v4_routes['base'].append({ |
|
"net": net, |
|
"port": port} |
|
) |
|
self.ports.append(port) |
|
|
|
self.v4_routes['router'] = self.v4_routes['base'] |
|
self.v4_routes['range_router'] = self.v4_routes['base'] |
|
|
|
self.v6_addresses = {} |
|
self.v6_addresses[None] = [] |
|
for mode in self.modes: |
|
self.v6_addresses[mode] = [ net['net'][self.info['switch_suffix']] for net in self.v6_routes[mode] ] |
|
|
|
self.v4_addresses = {} |
|
self.v4_addresses[None] = [] |
|
for mode in self.modes: |
|
self.v4_addresses[mode] = [ net['net'][self.info['switch_suffix']] for net in self.v4_routes[mode] ] |
|
|
|
self.nat64_map = {} |
|
# init default |
|
for mode in self.modes: |
|
self.nat64_map[mode] = [] |
|
|
|
# specific settings - mapping 256 IPv6 IPs max statically (based on /24) |
|
for mode in ["range_router"]: |
|
for v6_net in self.v6_routes[mode]: |
|
# This is a /64 |
|
v6_dst_base = self.info['v6_nat64_gen'].next() |
|
|
|
# This is a /96 -> the first /96 inside the /64 |
|
v6_dst = v6_dst_base.subnets(new_prefix=self.info['v6_nat64_mask']).next() |
|
|
|
for v4_net in self.v4_routes[mode]: |
|
v4_dst = self.info['v4_nat64_map'].next() |
|
|
|
self.nat64_map[mode].append({ |
|
"v6_src": v6_net['net'], |
|
# "v6_dst": self.info['nat64_prefix'] # static -- not supported ATM |
|
"v6_dst": v6_dst, |
|
"v4_src": v4_net['net'], |
|
"v4_dst": v4_dst |
|
}) |
|
|
|
self.init_boilerplate(sw_name) |
|
self.init_other_port_multicast_groups() |
|
|
|
def gen_ndp_multicast_addr(self, addr): |
|
""" append the 24 bit of the address to the multicast address""" |
|
|
|
last_24 = int(addr) & 0xffffff |
|
addr = self.info['ndp_multicast'][last_24] |
|
|
|
return addr |
|
|
|
def init_other_port_multicast_groups(self): |
|
""" map multicast group x to send to |
|
all ports but x - basically broadcasting without sending back to ourselves |
|
""" |
|
|
|
# create multicast nodes |
|
for rid in self.ports: |
|
ports = [ x for x in self.ports if not x == rid ] |
|
n_handle = self.controller.mc_node_create(rid, ports) |
|
log.debug("Creating MC node rid={} ports={} handle={}".format(rid, ports, n_handle)) |
|
|
|
g_handle = self.controller.mc_mgrp_create(rid) |
|
log.debug("Created MC group mgrp={} handle={} && associating afterwards".format(rid, g_handle)) |
|
|
|
self.controller.mc_node_associate(g_handle, n_handle) |
|
|
|
def init_boilerplate(self, sw_name): |
|
self.topo = Topology(db="topology.db") |
|
self.sw_name = sw_name |
|
self.thrift_port = self.topo.get_thrift_port(sw_name) |
|
self.cpu_port = self.topo.get_cpu_port_index(self.sw_name) |
|
self.controller = SimpleSwitchAPI(self.thrift_port) |
|
self.intf = str(self.topo.get_cpu_port_intf(self.sw_name).replace("eth0", "eth1")) |
|
self.controller.reset_state() |
|
|
|
if self.cpu_port: |
|
self.controller.mirroring_add(100, self.cpu_port) |
|
|
|
def config(self): |
|
self.fill_tables() |
|
self.config_hosts() |
|
|
|
def listen_to_icmp6_multicast(self): |
|
"""Only needed for debugging""" |
|
|
|
net = self.info['ndp_multicast'] |
|
self.controller.table_add("v6_networks", "controller_debug", [str(net)]) |
|
|
|
def init_ndp_in_switch(self, addr): |
|
icmp6_addr = self.gen_ndp_multicast_addr(addr) |
|
icmp6_net = "{}/128".format(icmp6_addr) |
|
icmp6_type = 135 |
|
mac_addr = self.info['mac_addr'] |
|
|
|
self.controller.table_add("icmp6", |
|
"icmp6_neighbor_solicitation", |
|
[str(icmp6_net), str(icmp6_type)], [str(addr), str(mac_addr)]) |
|
|
|
def init_icmp6_echo_in_switch(self, addr): |
|
icmp6_addr = addr |
|
icmp6_type = 128 |
|
icmp6_net = "{}/128".format(icmp6_addr) |
|
|
|
self.controller.table_add("icmp6", |
|
"icmp6_echo_reply", |
|
[str(icmp6_net), str(icmp6_type)], []) |
|
|
|
|
|
def fill_tables(self): |
|
self.controller.table_clear("v6_networks") |
|
for v6route in self.v6_routes[self.mode]: |
|
self.controller.table_add("v6_networks", "set_egress_port", [str(v6route['net'])], [str(v6route['port'])]) |
|
|
|
self.controller.table_clear("v4_networks") |
|
for v4route in self.v4_routes[self.mode]: |
|
self.controller.table_add("v4_networks", "set_egress_port", [str(v4route['net'])], [str(v4route['port'])]) |
|
|
|
if self.args.multicast_to_controller: |
|
self.listen_to_icmp6_multicast() |
|
|
|
self.controller.table_clear("icmp6") |
|
for v6addr in self.v6_addresses[self.mode]: |
|
self.init_ndp_in_switch(v6addr) |
|
self.init_icmp6_echo_in_switch(v6addr) |
|
|
|
self.controller.table_clear("nat64") |
|
self.controller.table_clear("nat46") |
|
for nat64map in self.nat64_map[self.mode]: |
|
self.static_nat64_mapping(**nat64map) |
|
|
|
def static_nat64_mapping(self, v6_src, v6_dst, v4_src, v4_dst): |
|
""" |
|
Currently using destination only matching due to non priority |
|
LPM support in P4 |
|
|
|
This could be solved with ternary matches or smart double table usage |
|
""" |
|
|
|
log.info("NAT64 map: ({} -> {} => {}), ({} -> {} -> {} (only /24)))".format( |
|
v6_src, v6_dst, v4_dst, |
|
v4_src, v4_dst, v6_src)) |
|
|
|
self.controller.table_add("nat64", |
|
"nat64_static", |
|
[str(v6_dst)], |
|
[str(v6_src.network_address), |
|
str(v4_dst.network_address), |
|
str(v6_dst.network_address)] |
|
) |
|
self.controller.table_add("nat46", |
|
"nat46_static", |
|
[str(v4_dst)], |
|
[str(v6_src.network_address), |
|
str(v4_dst.network_address), |
|
str(v6_dst.network_address)] |
|
) |
|
|
|
|
|
def config_hosts(self): |
|
""" Assumptions: |
|
- all routes are networks (no /128 v6 or /32 v4 |
|
- hosts get the first ip address in the network |
|
""" |
|
|
|
for v6route in self.v6_routes[self.mode]: |
|
host = "h{}".format(v6route['port']) |
|
dev = "{}-eth0".format(host) |
|
net = v6route['net'] |
|
ipaddr = "{}/{}".format(net[1],net.prefixlen) |
|
router = str(net[self.info['switch_suffix']]) |
|
|
|
self.config_v6_host(host, str(net), str(ipaddr), dev, router) |
|
|
|
for v4route in self.v4_routes[self.mode]: |
|
host = "h{}".format(v4route['port']) |
|
dev = "{}-eth0".format(host) |
|
net = v4route['net'] |
|
ipaddr = "{}/{}".format(net[1],net.prefixlen) |
|
router = str(net[self.info['switch_suffix']]) |
|
|
|
self.config_v4_host(host, str(net), str(ipaddr), dev, router) |
|
|
|
@staticmethod |
|
def config_v6_host(host, net, ipaddr, dev, router=None): |
|
log.debug("Config v6 host: {} {}->{} on {}".format(host, net, ipaddr, dev)) |
|
|
|
subprocess.call(["mx", host, "ip", "addr", "flush", "dev", dev]) |
|
for v6dev in [ "lo", "default", "all", dev ]: |
|
subprocess.call(["mx", host, "sysctl", "net.ipv6.conf.{}.disable_ipv6=0".format(v6dev)]) |
|
|
|
# Set down & up to regain link local address |
|
subprocess.call(["mx", host, "ip", "link", "set", dev, "down"]) |
|
subprocess.call(["mx", host, "ip", "link", "set", dev, "up"]) |
|
|
|
subprocess.call(["mx", host, "ip", "addr", "add", ipaddr, "dev", dev]) |
|
|
|
if router: |
|
subprocess.call(["mx", host, "ip", "route", "add", "default", "via", router]) |
|
|
|
@staticmethod |
|
def config_v4_host(host, net, ipaddr, dev, router=None): |
|
log.debug("Config v4 host: {} {}->{} on {} via {}".format(host, net, ipaddr, dev, router)) |
|
|
|
subprocess.call(["mx", host, "ip", "addr", "flush", "dev", dev]) |
|
subprocess.call(["mx", host, "ip", "addr", "add", ipaddr, "dev", dev]) |
|
|
|
if router: |
|
subprocess.call(["mx", host, "ip", "route", "add", "default", "via", router]) |
|
|
|
def debug_print_pkg(self, pkg, msg="INCOMING"): |
|
log.debug("{}: {}".format(msg, pkg.__repr__())) |
|
|
|
def debug_format_pkg(self, pkg): |
|
packet = Ether(str(pkg)) |
|
|
|
if packet.type == 0x800: |
|
ip = pkg.getlayer(IP) |
|
elif packet.type == 0x86dd: |
|
ip = pkg.getlayer(IPv6) |
|
|
|
# tcp = pkg.getlayer(TCP) |
|
|
|
# raw = pkg.getlayer(Raw) |
|
|
|
# return "{}:{} => {}:{}: flags={} seq={} ack={} raw={}".format( |
|
# ip.src, tcp.sport, |
|
# ip.dst, tcp.dport, |
|
# tcp.flags, |
|
# tcp.seq, |
|
# tcp.ack, |
|
# raw) |
|
|
|
def handle_icmp6_echo_request(self, pkg): |
|
""" |
|
Sample from the wire: |
|
|
|
DEBUG:main:reassambled=<Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=474570 plen=64 nh=ICMPv6 hlim=64 src=2001:db8::1 dst=2001:db8::42 |<ICMPv6EchoRequest type=Echo Request code=0 cksum=0xb76d id=0x16cd seq=0x1 data='\x1f\xe2~\\\x00\x00\x00\x00\xf8\x82\x00\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567' |>>> |
|
""" |
|
|
|
log.info("Replying to ICMP packet") |
|
dst_mac = pkg[Ether].src |
|
src_mac = pkg[Ether].dst |
|
|
|
dst_addr = pkg[IPv6].src |
|
src_addr = pkg[IPv6].dst |
|
|
|
e = Ether(src=src_mac, dst=dst_mac) |
|
i = IPv6(src=src_addr, dst=dst_addr) |
|
i2 = ICMPv6EchoReply(id=pkg[ICMPv6EchoRequest].id, |
|
seq=pkg[ICMPv6EchoRequest].seq, |
|
data=pkg[ICMPv6EchoRequest].data) |
|
i2.cksum = None |
|
answer = e / i / i2 |
|
|
|
self.send_pkg(answer) |
|
|
|
|
|
def handle_icmp6_ns(self, pkg): |
|
""" Solicitated NA""" |
|
|
|
# Both ways should work |
|
dst_mac = pkg[Ether].src |
|
dst_mac = pkg[ICMPv6NDOptSrcLLAddr].lladdr |
|
src_mac = self.info['mac_address'] |
|
|
|
dst_addr = pkg[IPv6].src |
|
src_addr = pkg[ICMPv6ND_NS].tgt |
|
|
|
e = Ether(src=src_mac, dst=dst_mac) |
|
i = IPv6(src=src_addr, dst=dst_addr) |
|
|
|
# S=1 -> solicitated |
|
i2 = ICMPv6ND_NA(S=1, R=0, tgt=src_addr) |
|
# try5: cksum not chksum ! |
|
i2.cksum = None |
|
|
|
i3 = ICMPv6NDOptDstLLAddr(lladdr=src_mac) |
|
|
|
answer = e / i / i2 / i3 |
|
|
|
# try 4 |
|
# for l in [Ether, IPv6, ICMPv6ND_NA, ICMPv6NDOptDstLLAddr]: |
|
# try: |
|
# del answer[l].chksum |
|
# except AttributeError: |
|
# pass |
|
|
|
# Let scapy recalc checksum (try3) |
|
# answer = answer.__class__(str(answer)) |
|
|
|
self.send_pkg(answer) |
|
|
|
def send_pkg(self, pkg): |
|
self.debug_print_pkg(pkg, "OUTGOING") |
|
sendp(pkg, iface=self.intf, verbose=False) |
|
|
|
def recv_msg_cpu(self, pkg): |
|
packet = Ether(str(pkg)) |
|
|
|
cpu_header = "" |
|
ether_orig = "" |
|
orig_packet = "" |
|
|
|
if packet.type == 0x4242: |
|
cpu_header = CpuHeader(packet.payload) |
|
|
|
# Not necessary anymore - cpu decoding works |
|
log.debug("cpu = {}".format(cpu_header.__repr__())) |
|
|
|
ether_orig = Ether(src=packet.src, dst=packet.dst, type=cpu_header.type) |
|
|
|
if cpu_header.type == 0x0800: |
|
orig_packet = ether_orig / IP(cpu_header.load) |
|
elif cpu_header.type == 0x86dd: |
|
orig_packet = ether_orig / IPv6(cpu_header.load) |
|
else: |
|
print("Broken pkg: {}".format(pkg.__repr__())) |
|
return |
|
else: |
|
print("Broken / unhandled pkg: {}".format(pkg.__repr__())) |
|
return |
|
|
|
# Process parsed |
|
if ICMPv6ND_NS in orig_packet and orig_packet['IPv6'].src == '::': |
|
log.info("Neighbor solicitation for checking her own IP address") |
|
elif ICMPv6MLReport2 in orig_packet and orig_packet['IPv6'].dst == 'ff02::16': |
|
mc_group = orig_packet['ICMPv6MLDMultAddrRec'].dst |
|
log.info("Multicast registration for {} port {} -- should probably handle this".format(mc_group, cpu_header.ingress_port)) |
|
elif ICMPv6ND_RS in orig_packet and orig_packet['IPv6'].dst == 'ff02::2': |
|
src = orig_packet['IPv6'].src |
|
log.info("Router solicitation from {} -- should probably handle this?".format(src)) |
|
elif cpu_header.task == self.task['ICMP6_NS']: |
|
log.info("Doing neighbor solicitation for the switch in the controller") |
|
self.handle_icmp6_ns(orig_packet) |
|
elif cpu_header.task == self.task['ICMP6_GENERAL']: |
|
if ICMPv6EchoRequest in orig_packet: |
|
self.handle_icmp6_echo_request(orig_packet) |
|
else: |
|
log.info("unhandled reassambled={} from table {}".format(orig_packet.__repr__(), table_id_fields[cpu_header.table_id])) |
|
|
|
|
|
def run_cpu_port_loop(self): |
|
sniff(iface=self.intf, prn=self.recv_msg_cpu) |
|
|
|
def commandline(self): |
|
parser = argparse.ArgumentParser(description='controller++') |
|
parser.add_argument('--mode', help='Select mode / settings to use', choices=self.modes) |
|
parser.add_argument('--debug', help='Enable debug logging', action='store_true') |
|
parser.add_argument('--verbose', help='Enable verbose logging', action='store_true') |
|
parser.add_argument('--multicast-to-controller', help='Send debug multicast to controller', action='store_true') |
|
|
|
self.args = parser.parse_args() |
|
self.mode = self.args.mode |
|
self.debug = self.args.debug |
|
|
|
if __name__ == "__main__": |
|
import sys |
|
import os |
|
|
|
sw_name = "s1" |
|
controller = L2Controller(sw_name) |
|
controller.commandline() |
|
|
|
if controller.args.debug: |
|
log.setLevel(logging.DEBUG) |
|
elif controller.args.verbose: |
|
log.setLevel(logging.INFO) |
|
else: |
|
log.setLevel(logging.WARNING) |
|
|
|
log.info("Booting...") |
|
log.debug("Debug enabled.") |
|
|
|
|
|
controller.config() |
|
controller.run_cpu_port_loop()
|
|
|