search

p4lang / p4pi

P4 on Raspberry Pi for Networking Education
Apache License 2.0
124 stars 31 forks source link

Traffic filter does not stop Netcat between wifi-connected devices #62

Open shakedNissanov opened 2 years ago

shakedNissanov commented 2 years ago

What we tried to do

Hi guys, We tried changing the traffic filter example in the examples section from a block-list to an allow-list. To do so, we changed the default action of the tables to be drop, instead of NoAction. We then run the program with no rules applied, to see if every packet is indeed dropped.

The problem

When we run in verbose mode, the compiler states that every received packet is dropped. The problem is that when we open a Netcat connection between 2 laptops connected to the p4pi network, or when we open a Netcat connection between a connected laptop and the p4pi itself, the messages get through and reach the other side, even though all the packets seem to be dropped.

We tried writing a simpler program that just calls drop on every packet in MyIngress' apply, and again it states that every packet is dropped, but the connection goes through.

What we think / don't understand

The example shows the capability of the firewall by running an iperf server inside the gigport namespace. This does work for us. The problem is when we use Netcat outside of the gigport namespace - between 2 laptops or a laptop and the p4pi. Do we need to run something inside the gigport namespace? Can we expend the firewall capabilities to support blocking communication between 2 connected devices?

Thank you for your help.

noaz commented 2 years ago

@slaki can you please advise?

slaki commented 2 years ago

When you run the experiment between a laptop and the P4Pi node, the netcat on p4pi should be run inside the gigport namespace. Since the P4 software switch is located between the gigport namespace and the wlan interface, enforcing that the traffic goes through the P4 pipeline. The experiment with two laptops is a bit more tricky if both laptops connect to P4Pi via the wireless interface. The hotspot is in bridged mode and it implements layer2 forwarding by default. Thus if the two laptops are in the same IP domain, the traffic will be forwarded between the two laptops seamlessly. We can capture the packets in the P4 switch, but in the background it is also forwarded directly to the other laptop. You can bypass it by assigning static IPs from different ranges to the two laptops, and extend the P4 pipeline with basic routing functions and arp. If the other laptop is connected to the ethernet port (or to an usb-ethernet adapter), this transmission should also work with your original setup.