Merge pull request #57 from vedetta-com/wip

Add software-defined networking (SDN)
vedetta-com · Dec 6, 2017 · e82f046 · e82f046
2 parents 301b1de + 79199e4
commit e82f046
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -78,6 +78,7 @@ Share what you've got, keep what you need:
     - [`etc/hostname.em2`](src/etc/hostname.em2)
     - [`etc/hostname.enc1`](src/etc/hostname.enc1)
     - [`etc/hostname.gif0`](src/etc/hostname.gif0)
+    - [`etc/hostname.switch0`](src/etc/hostname.switch0)
     - [`etc/hostname.tun0`](src/etc/hostname.tun0)
     - [`etc/hostname.vether0`](src/etc/hostname.vether0)
     - [`etc/hostname.vlan5`](src/etc/hostname.vlan5)
@@ -216,6 +217,17 @@ Share what you've got, keep what you need:
   - *Usage:*
     - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
     - [`rcctl`](https://man.openbsd.org/rcctl)` start sshd`
+* [switchd](https://man.openbsd.org/switchd) - software-defined networking (SDN) sflow controller
+  - *Configure:*
+    - [`etc/hostname.switch0`](src/etc/hostname.switch0)
+    - [`etc/pf.conf`](src/etc/pf.conf)
+    - [`etc/switchd.conf`](src/etc/switchd.conf)
+  - *Usage:*
+    - `sh /etc/netstart switch0`
+    - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf`
+    - [`rcctl`](https://man.openbsd.org/rcctl)` enable switchd`
+    - [`rcctl`](https://man.openbsd.org/rcctl)` start switchd`
+    - [`switchctl`](https://man.openbsd.org/switchctl)` connect /dev/switch0`
 * [syslogd](https://man.openbsd.org/syslogd) - log system messages
   - *Configure:*
     - [`etc/newsyslog.conf`](src/etc/newsyslog.conf)

diff --git a/src/etc/hostname.switch0 b/src/etc/hostname.switch0
@@ -0,0 +1,5 @@
+description "switchd interface"
+addlocal vether0
+#add tap0
+up
+!switchctl connect /dev/switch0
diff --git a/src/etc/pf.conf b/src/etc/pf.conf
@@ -92,7 +92,7 @@ anchor "nat" out on egress inet tagged LAN_INET {
 
 # Block spoofed traffic
 # http://man.openbsd.org/pf.conf#Blocking_Spoofed_Traffic
-antispoof log quick for { (egress) lo0 (tun) (vether) (enc) }
+antispoof log quick for { (egress) lo0 (tun) (vether) (enc) (tap) (vlan) (svlan) }
 antispoof log for { (lan) (wlan) } # why not quick? We allow them on enc
 
 anchor "block" {
@@ -358,6 +358,11 @@ anchor "vlan" on vlan from (vlan:network) to (vlan:network) {
  match log on vlan5 tag VLAN5
 }
 
+# SDN
+anchor "virtual" on { vether tap } {
+ # Custom
+}
+
 anchor "icmp" {
  anchor "ipv4-icmp" inet proto icmp {
   # https://datatracker.ietf.org/doc/draft-ietf-opsec-icmp-filtering/history/

diff --git a/src/etc/rc.conf.local b/src/etc/rc.conf.local
@@ -14,6 +14,7 @@ ntpd_flags=
 rtadvd_flags="em1 em2 athn0"
 sndiod_flags=NO
 sensorsd_flags=
+switchd_flags=
 syslogd_flags="${syslogd_flags} -a /var/unbound/dev/log -a /var/nsd/dev/log"
 unbound_flags="-v -c /var/unbound/etc/unbound.conf"
 httpd_flags=

diff --git a/src/etc/switchd.conf b/src/etc/switchd.conf
@@ -0,0 +1 @@
+listen on 0.0.0.0 tls port 6633