Besides basic routing the DANOS virtual router also has a firewal capability we can use for demonstrations.
- Create a firewall rule to allow UPD traffic on port dp0s4 from the packet geneartor to the traffic sink
Submit the following to the SDNC netconfg mouth previously created (replace with your vfw name, k8 host ip and sdnc nodeport (this is from POSTMAN) :
PUT https://{{sdnc_ssl_port}}/restconf/config/network-topology:network-topology/topology/topology-netconf/node/vofwl01fwleccf/yang-ext:mount/vyatta-security-v1:security/firewall
add firewall rule payload{ "vyatta-security-firewall-v1:firewall": { "name": [ { "ruleset-name": "ONAP_DANOS_PGN", "description": "Allow UDP port 8080", "rule": [ { "tagnode": 100, "protocol": "udp", "action": "accept", "destination": { "address": "192.168.20.250", "port": 8080 } } ] } ] } }4. Traffic is not affected since we haven't attached the rule to a port
Attach the firewall rule to port dp0s4
PUT https://{{sdnc_ssl_port}}/restconf/config/network-topology:network-topology/topology/topology-netconf/node/vofwl01fwleccf/yang-ext:mount/vyatta-interfaces-v1:interfaces/vyatta-interfaces-dataplane-v1:dataplane/dp0s4/firewall
Attach firewall rule to dp0s4{ "vyatta-security-firewall-v1:firewall": { "in": [ "ONAP_DANOS_PGN" ] } }Traffic should still be routing
- Change the policy to drop the UDP traffic
PUT https://{{sdnc_ssl_port}}/restconf/config/network-topology:network-topology/topology/topology-netconf/node/vofwl01fwleccf/yang-ext:mount/vyatta-security-v1:security/firewall
Drop traffic{ "vyatta-security-firewall-v1:firewall": { "name": [ { "ruleset-name": "ONAP_DANOS_PGN", "description": "Allow UDP port 8080", "rule": [ { "tagnode": 100, "protocol": "udp", "action": "drop", "destination": { "address": "192.168.20.250", "port": 8080 } } ] } ] } }- Traffic to the traffic sink will go to zero
- Reapply the action: allow to see traffic flow again
- In the upper left panel you can see the traffic go to zero with the "drop" action and back to normal with the "allow" policy re-applied.
