Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Traffic filter does not stop Netcat between wifi-connected devices #62

Open
shakedNissanov opened this issue Dec 10, 2021 · 2 comments
Open

Traffic filter does not stop Netcat between wifi-connected devices #62

shakedNissanov opened this issue Dec 10, 2021 · 2 comments

Comments

@shakedNissanov
Copy link

What we tried to do

Hi guys,
We tried changing the traffic filter example in the examples section from a block-list to an allow-list.
To do so, we changed the default action of the tables to be drop, instead of NoAction. We then run the program with no rules applied, to see if every packet is indeed dropped.

The problem

When we run in verbose mode, the compiler states that every received packet is dropped.
The problem is that when we open a Netcat connection between 2 laptops connected to the p4pi network, or when we open a Netcat connection between a connected laptop and the p4pi itself, the messages get through and reach the other side, even though all the packets seem to be dropped.

We tried writing a simpler program that just calls drop on every packet in MyIngress' apply, and again it states that every packet is dropped, but the connection goes through.

What we think / don't understand

The example shows the capability of the firewall by running an iperf server inside the gigport namespace. This does work for us.
The problem is when we use Netcat outside of the gigport namespace - between 2 laptops or a laptop and the p4pi.
Do we need to run something inside the gigport namespace?
Can we expend the firewall capabilities to support blocking communication between 2 connected devices?

Thank you for your help.
@noaz
Copy link
Collaborator

noaz commented Dec 14, 2021

@slaki can you please advise?

@slaki
Copy link
Collaborator

slaki commented Dec 14, 2021

When you run the experiment between a laptop and the P4Pi node, the netcat on p4pi should be run inside the gigport namespace. Since the P4 software switch is located between the gigport namespace and the wlan interface, enforcing that the traffic goes through the P4 pipeline. The experiment with two laptops is a bit more tricky if both laptops connect to P4Pi via the wireless interface. The hotspot is in bridged mode and it implements layer2 forwarding by default. Thus if the two laptops are in the same IP domain, the traffic will be forwarded between the two laptops seamlessly. We can capture the packets in the P4 switch, but in the background it is also forwarded directly to the other laptop. You can bypass it by assigning static IPs from different ranges to the two laptops, and extend the P4 pipeline with basic routing functions and arp. If the other laptop is connected to the ethernet port (or to an usb-ethernet adapter), this transmission should also work with your original setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@noaz @slaki @shakedNissanov