policy module

This module is part of the nmeta suite running on top of Ryu SDN controller. It provides a policy class as an interface to policy configuration and classification of packets against policy.

See Policy class docstring for more information.

policy.validate(logger, data, schema, where)

Generic validation of a data structure against schema using Voluptuous data validation library Parameters:

  • logger: valid logger reference
  • data: structure to validate
  • schema: a valid Voluptuous schema
  • where: string for debugging purposes to identity the policy location
policy.validate_port_set_list(logger, port_set_list, policy)

Validate that a list of dictionaries [{‘port_set’: str}] reference valid port_sets. Return Boolean 1 if good otherwise exit with exception

policy.validate_location(logger, location, policy)

Validator for location compliance (i.e. check that the supplied location string exists as a location defined in policy) Return Boolean True if good, otherwise exit with exception

policy.validate_type(type, value, msg)

Used for Voluptuous schema validation. Check a value is correct type, otherwise raise Invalid exception, including elaborated version of msg

policy.transform_ports(ports)

Passed a ports specification and return a list of port numbers for easy searching. Example: Ports specification “1-3,5,66” becomes list [1,2,3,5,66]

policy.validate_ports(ports)

Custom Voluptuous validator for a list of ports. Example good ports specification:

1-3,5,66

Will raise Voluptuous Invalid exception if types or ranges are not correct

policy.validate_time_of_day(time_of_day)

Custom Voluptuous validator for time of day compliance. Returns original time of day if compliant, otherwise raises Voluptuous Invalid exception

policy.validate_macaddress(mac_addr)

Custom Voluptuous validator for MAC address compliance. Returns original MAC address if compliant, otherwise raises Voluptuous Invalid exception

policy.validate_macaddress_OLD(mac_addr)

Custom Voluptuous validator for MAC address compliance. Returns original MAC address if compliant, otherwise raises Voluptuous Invalid exception

policy.validate_ip_space(ip_addr)

Custom Voluptuous validator for IP address compliance. Can be IPv4 or IPv6 and can be range or have CIDR mask. Returns original IP address if compliant, otherwise raises Voluptuous Invalid exception

policy.validate_ethertype(ethertype)

Custom Voluptuous validator for ethertype compliance. Can be in hex (starting with 0x) or decimal. Returns ethertype if compliant, otherwise raises Voluptuous Invalid exception

class policy.Policy(config, pol_dir_default='config', pol_dir_user='config/user', pol_filename='main_policy.yaml')

Bases: baseclass.BaseClass

This policy class serves 4 main purposes: - Ingest policy (main_policy.yaml) from file - Validate correctness of policy against schema - Classify packets against policy, passing through to static,

identity and custom classifiers, as required
  • Other methods and functions to check various parameters against policy

Note: Class definitions are not nested as not considered Pythonic

Main Methods and Variables: - check_policy(flow, ident) # Check a packet against policy - qos(qos_treatment) # Map qos_treatment string to queue number - main_policy # main policy YAML object. Read-only,

no verbs. Use methods instead where possible.

TC Methods and Variables: - tc_rules.rules_list # List of TC rules - tc_rules.custom_classifiers # dedup list of custom classifier names

check_policy(flow, ident)

Passed a flows object, set in context of current packet-in event, and an identities object. Check if packet matches against any policy rules and if it does, update the classifications portion of the flows object to reflect details of the classification.

qos(qos_treatment)

Passed a QoS treatment string and return the relevant QoS queue number to use, otherwise 0. Works by lookup on qos_treatment section of main_policy

class policy.TCRules(policy)

Bases: object

An object that represents the tc_rules root branch of the main policy

class policy.TCRule(tc_rules, policy, idx)

Bases: object

An object that represents a single traffic classification (TC) rule.

check_tc_rule(flow, ident)

Passed Packet and Identity class objects. Check to see if packet matches conditions as per the TC rule. Return a TCRuleResult object

class policy.TCRuleResult(rule_actions)

Bases: object

An object that represents a traffic classification result, including any decision collateral on matches and actions. Use __dict__ to dump to data to dictionary

accumulate(condition_result)

Passed a TCConditionResult object and accumulate values into our object

add_rule_actions()

Add rule actions from policy to the actions of this class

class policy.TCCondition(tc_rules, policy, policy_snippet)

Bases: object

An object that represents a single traffic classification (TC) rule condition from a conditions list (contains a match type and a list of one or more classifiers)

check_tc_condition(flow, ident)

Passed a Flow and Identity class objects. Check to see if flow.packet matches condition (a set of classifiers) as per the match type. Return a TCConditionResult object with match information.

class policy.TCConditionResult

Bases: object

An object that represents a traffic classification condition result. Custom classifiers can return additional parameters beyond a Boolean match, so cater for these too. Use __dict__ to dump to data to dictionary

accumulate(classifier_result)

Passed a TCClassifierResult object and accumulate values into our object

class policy.TCClassifierResult(policy_attr, policy_value)

Bases: object

An object that represents a traffic classification classifier result. Custom classifiers can return additional parameters beyond a Boolean match, so cater for these too. Use __dict__ to dump to data to dictionary

class policy.QoSTreatment(policy)

Bases: object

An object that represents the qos_treatment root branch of the main policy

class policy.PortSets(policy)

Bases: object

An object that represents the port_sets root branch of the main policy

get_port_set(dpid, port, vlan_id=0)

Check if supplied dpid/port/vlan_id is member of a port set and if so, return the port_set name. If no match return empty string.

class policy.PortSet(policy, idx)

Bases: object

An object that represents a single port set

is_member(dpid, port, vlan_id=0)

Check to see supplied dpid/port/vlan_id is member of this port set. Returns a Boolean

class policy.Locations(policy)

Bases: object

An object that represents the locations root branch of the main policy

get_location(dpid, port)

Passed a DPID and port and return a logical location name, as per policy configuration.

class policy.Location(policy, idx)

Bases: object

An object that represents a single location

check(dpid, port)

Check a dpid/port to see if it is part of this location and if so return the string name of the location otherwise return empty string