verinec.netsim.firewall
Class PacketFilters

java.lang.Object
  verinec.netsim.firewall.PacketFilters

public class PacketFilters
extends Object

Version:

$Revision: 825 $

Author:

jason.hug@unifr.ch

Field Summary

private String	forward reference-string to the forward chain specified from the node.xml
private PacketFilterChain	forward_chain reference to the global FORWARD chain object
private String	globalin reference-string to the global INPUT chain specified from the node.xml
private String	globalout reference-string to the global OUTPUT chain specified from the node.xml
private String	hostname Hostname of the node.
private PacketFilterChain	input_chain reference to the global INPUT chain object
private InterfaceFilterMappings	interfaceFilterMappings Stores the Interface Filter Mappings
private Logger	logger
private PacketFilterChain	output_chain reference to the global OUTPUT chain object
private Vector	packetFilterChains Stores all available Filter-Chains
private String	simTime Current simulation time of the node.

Constructor Summary

protected	PacketFilters(Element node, String hostname) Creates a new Packet Filter.
protected	PacketFilters(String hostname) Creates a packet-filter which accepts everything.

Method Summary

private void	addPacketFilterChain(PacketFilterChain chain) Adds a chain to the Packet-Filter-Chains
PacketFilterChain	getForward_chain()
String	getForward() Retrieves the global forward interface
String	getGlobalin() Retrieves the global-in interface
String	getGlobalout() Retrieves the global-out interface
String	getHostname()
PacketFilterChain	getInput_chain()
InterfaceFilterMappings	getInterfaceFilterMappings() Gets the interface-filter-mappings
PacketFilterChain	getOutput_chain()
private PacketFilterChain	getPacketFilterChain(String id) Returns the chain that corresponds to the given ID.
Vector	getPacketFilterChains() Gets the packet-filter-chains
String	getSimTime()
private PacketFilterChain	initDefaultChain(String name) Creates a Default chain and adds it to the PacketFilterChain.
private void	initPacketFilterChain(Element node) Method to init the packet-filter-chain
private void	InitStatefulInspection(Element node) Method which inits Stateful inspection.
IPacketAction	matchAction(Packet packet, String interfaceRef, String direction, Node node, String simTime, ILogger eventsLog) This method receives a packet and checks in the defined packet-filter-chains if there are any rules that match.
void	setForward(String forward) Set the forward interface
void	setGlobalin(String globalin) Sets the global-in interface
void	setGlobalout(String globalout) Sets the global-out interface
void	setInterfaceFilterMappings(InterfaceFilterMappings interfaceFilterMappings) Sets the interface-filter-mappings
void	setPacketFilterChains(Vector packetFilterChains) Sets the packet-filter-chains
void	setSimTime(String simTime)
private void	statefulInspection(Packet packet, IPacketAction action, String direction, Node node, String simTime) Method which handles the Stateful Inspection's HashTable for the packet-filter.
String	toString()
private IPacketAction	traverseChain(Packet packet, String interfaceRef, String direction, PacketFilterChain chain, ILogger eventsLog) Traverse Chain picks out the referenced chain and traverses it.
private IPacketAction	traverseDefaultChain(Packet packet, String interfaceRef, String direction, ILogger eventsLog) Traverses the corresponding default chain.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

logger

private Logger logger

globalout

private String globalout

reference-string to the global OUTPUT chain specified from the node.xml

output_chain

private PacketFilterChain output_chain

reference to the global OUTPUT chain object

globalin

private String globalin

reference-string to the global INPUT chain specified from the node.xml

input_chain

private PacketFilterChain input_chain

reference to the global INPUT chain object

forward

private String forward

reference-string to the forward chain specified from the node.xml

forward_chain

private PacketFilterChain forward_chain

reference to the global FORWARD chain object

interfaceFilterMappings

private InterfaceFilterMappings interfaceFilterMappings

Stores the Interface Filter Mappings

packetFilterChains

private Vector packetFilterChains

Stores all available Filter-Chains

hostname

private String hostname

Hostname of the node. This variable is needed to reference the right Stateful Inspection Hash Table from the StatefulTablesSingleton instance.

simTime

private String simTime

Current simulation time of the node.

Constructor Detail

PacketFilters

protected PacketFilters(Element node,
                        String hostname)

Creates a new Packet Filter. Constructor that creates a new packet filter based upon the node configuration file. This constructor also initializes stateful inspection if needed.

Parameters:

node - Element which specifies the Packet Filters configurations.

hostname - To be configured node's hostname

PacketFilters

protected PacketFilters(String hostname)

Creates a packet-filter which accepts everything. This constructor is used when no packet-filters service was specified in the network configuration file (node.xml). Three default chains are created which have no rules and a default policy ACCEPT.

Parameters:

hostname - To be configured node's hostname

Method Detail

matchAction

public IPacketAction matchAction(Packet packet,
                                 String interfaceRef,
                                 String direction,
                                 Node node,
                                 String simTime,
                                 ILogger eventsLog)

This method receives a packet and checks in the defined packet-filter-chains if there are any rules that match. If so the defined action is returned. If no match was observed the default policy of the packet-filter-chain is returned. This method also manages stateful inspection if it is being used.

Parameters:

packet - Packet that should be inspected.

interfaceRef - From which interface the packet came from.

direction - In which direction the packet is heading. Use @link verinec.netsim.firewall.IFirewall#IN IN, @link verinec.netsim.firewall.IFirewall#OUT OUT or @link verinec.netsim.firewall.IFirewall#FORWARD FORWARD.

node - Node needed for stateful inspection. With this we are able to retrieve the states of the TCP connections.

simTime - Simulation time. Needed for stateful inspection, so that we know when a connection times out.

eventsLog - The Verinec Simulator Event logger instance.

Returns:

The corresponding Action.

statefulInspection

private void statefulInspection(Packet packet,
                                IPacketAction action,
                                String direction,
                                Node node,
                                String simTime)

Method which handles the Stateful Inspection's HashTable for the packet-filter. This method adds or updates accepted packets to the stateful inspection's Hash Table. If the Packet was accepted it looks to find an already entered connection entry. If one is found the entry is updated. If not the packet is entered as a new connection. This method also decrements the timout value of each entry found in the stateful inspection's Hash Table.

Parameters:

packet - Packet entry to add or update.

action - Action to check if the packet was ACCEPTED by the packet-filter.

direction - In which direction the packet is heading.

node - Node needed for stateful inspection. With this we are able to retrieve the states of the TCP connections.

simTime - Simulation time. Needed for stateful inspection, so that we know when a connection times out.

traverseChain

private IPacketAction traverseChain(Packet packet,
                                    String interfaceRef,
                                    String direction,
                                    PacketFilterChain chain,
                                    ILogger eventsLog)

Traverse Chain picks out the referenced chain and traverses it. All actions are returned except for the gosub action. The gosub action references the next chain which needs to be traversed. In this case the traverseChain method calls itself recursively until another action is found.

Parameters:

packet - the packet to match with the rules

interfaceRef - From which interface the packet was recieved on.

direction - In which direction the packet is going (in, out, forward).

chain - The chain to traverse

eventsLog - The Verinec Simulator Event logger instance.

Returns:

The corresponding Packet Action except for GOSUB-ACTION (handled internally)

traverseDefaultChain

private IPacketAction traverseDefaultChain(Packet packet,
                                           String interfaceRef,
                                           String direction,
                                           ILogger eventsLog)

Traverses the corresponding default chain. Depending on the direction the corresponding chain is traversed and returns an action.

Parameters:

packet - Packet which needs to be checked by the rules.

interfaceRef - From which interface the packet was recieved on.

direction - In what direction the the packet is moving (in, out, forward).

eventsLog - The Verinec Simulator Event logger instance.

Returns:

The corresponding Packet Action

InitStatefulInspection

private void InitStatefulInspection(Element node)

Method which inits Stateful inspection. This method inits a stateful Inspection Table for this node if the node is configured with a match-state rule.

Parameters:

node - Element which specifies the Packet Filters configurations.

initPacketFilterChain

private void initPacketFilterChain(Element node)

Method to init the packet-filter-chain

Parameters:

node - specifies all the needed configurations for the Packet-Filter-Chain

initDefaultChain

private PacketFilterChain initDefaultChain(String name)

Creates a Default chain and adds it to the PacketFilterChain.

Parameters:

name - Name of the default chain.

Returns:

the newly created default chain.

getGlobalout

public String getGlobalout()

Retrieves the global-out interface

Returns:

global-out interface

setGlobalout

public void setGlobalout(String globalout)

Sets the global-out interface

Parameters:

globalout - The new global-out interface

getGlobalin

public String getGlobalin()

Retrieves the global-in interface

Returns:

global-in interface

setGlobalin

public void setGlobalin(String globalin)

Sets the global-in interface

Parameters:

globalin - the new global-on interface

getForward

public String getForward()

Retrieves the global forward interface

Returns:

forward interface

setForward

public void setForward(String forward)

Set the forward interface

Parameters:

forward -

getInterfaceFilterMappings

public InterfaceFilterMappings getInterfaceFilterMappings()

Gets the interface-filter-mappings

Returns:

Returns the interfaceFilterMappings.

setInterfaceFilterMappings

public void setInterfaceFilterMappings(InterfaceFilterMappings interfaceFilterMappings)

Sets the interface-filter-mappings

Parameters:

interfaceFilterMappings - The interfaceFilterMappings to set.

getPacketFilterChains

public Vector getPacketFilterChains()

Gets the packet-filter-chains

Returns:

Returns the packetFilterChains.

getPacketFilterChain

private PacketFilterChain getPacketFilterChain(String id)

Returns the chain that corresponds to the given ID.

Parameters:

id - ID referencing the chain.

Returns:

chain corresponding to the given ID. null othewrwise.

setPacketFilterChains

public void setPacketFilterChains(Vector packetFilterChains)

Sets the packet-filter-chains

Parameters:

packetFilterChains - The packetFilterChains to set.

addPacketFilterChain

private void addPacketFilterChain(PacketFilterChain chain)

Adds a chain to the Packet-Filter-Chains

Parameters:

chain - PacketFilterChain to be added

getForward_chain

public PacketFilterChain getForward_chain()

Returns:

Returns the forward_chain.

getInput_chain

public PacketFilterChain getInput_chain()

Returns:

Returns the input_chain.

getOutput_chain

public PacketFilterChain getOutput_chain()

Returns:

Returns the output_chain.

toString

public String toString()

Overrides:

toString in class Object

See Also:

Object.toString()

getHostname

public String getHostname()

Returns:

Returns the hostname.

getSimTime

public String getSimTime()

Returns:

Returns the simTime.

setSimTime

public void setSimTime(String simTime)

Parameters:

simTime - The simTime to set.