1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
|
""" Defines a Flow Filtering syntax.
"""
import pyparsing as pp
import netaddr
from functools import reduce
from operator import and_, or_
from ovs.flow.decoders import (
decode_default,
decode_int,
Decoder,
IPMask,
EthMask,
)
class EvaluationResult(object):
"""An EvaluationResult is the result of an evaluation. It contains the
boolean result and the list of key-values that were evaluated.
Note that since boolean operations (and, not, or) are based only on
__bool__ we use bitwise alternatives (&, ||, ~).
"""
def __init__(self, result, *kv):
self.result = result
self.kv = kv if kv else list()
def __and__(self, other):
"""Logical and operation."""
return EvaluationResult(
self.result and other.result, *self.kv, *other.kv
)
def __or__(self, other):
"""Logical or operation."""
return EvaluationResult(
self.result or other.result, *self.kv, *other.kv
)
def __invert__(self):
"""Logical not operation."""
return EvaluationResult(not self.result, *self.kv)
def __bool__(self):
"""Boolean operation."""
return self.result
def __repr__(self):
return "{} [{}]".format(self.result, self.kv)
class ClauseExpression(object):
""" A clause expression represents a specific expression in the filter.
A clause has the following form:
[field] [operator] [value]
Valid operators are:
= (equality)
!= (inequality)
< (arithmetic less-than)
> (arithmetic more-than)
~= (__contains__)
When evaluated, the clause finds what relevant part of the flow to use for
evaluation, tries to translate the clause value to the relevant type and
performs the clause operation.
Attributes:
field (str): The flow field used in the clause.
operator (str): The flow operator used in the clause.
value (str): The value to perform the comparison against.
"""
operators = {}
type_decoders = {
int: decode_int,
netaddr.IPAddress: IPMask,
netaddr.EUI: EthMask,
bool: bool,
}
def __init__(self, tokens):
self.field = tokens[0]
self.value = ""
self.operator = ""
if len(tokens) > 1:
self.operator = tokens[1]
self.value = tokens[2]
def __repr__(self):
return "{}(field: {}, operator: {}, value: {})".format(
self.__class__.__name__, self.field, self.operator, self.value
)
def _find_data_in_kv(self, kv_list):
"""Find a KeyValue for evaluation in a list of KeyValue.
Args:
kv_list (list[KeyValue]): list of KeyValue to look into.
Returns:
If found, tuple (kv, data) where kv is the KeyValue that matched
and data is the data to be used for evaluation. None if not found.
"""
key_parts = self.field.split(".")
field = key_parts[0]
kvs = [kv for kv in kv_list if kv.key == field]
if not kvs:
return None
for kv in kvs:
if kv.key == self.field:
# exact match
return (kv, kv.value)
if len(key_parts) > 1:
data = kv.value
for subkey in key_parts[1:]:
try:
data = data.get(subkey)
except Exception:
data = None
break
if not data:
break
if data:
return (kv, data)
return None
def _find_keyval_to_evaluate(self, flow):
"""Finds the key-value and data to use for evaluation on a flow.
Args:
flow(Flow): The flow where the lookup is performed.
Returns:
If found, tuple (kv, data) where kv is the KeyValue that matched
and data is the data to be used for evaluation. None if not found.
"""
for section in flow.sections:
data = self._find_data_in_kv(section.data)
if data:
return data
return None
def evaluate(self, flow):
"""Returns whether the clause is satisfied by the flow.
Args:
flow (Flow): the flow to evaluate.
"""
result = self._find_keyval_to_evaluate(flow)
if not result:
return EvaluationResult(False)
keyval, data = result
if not self.value and not self.operator:
# just asserting the existance of the key
return EvaluationResult(True, keyval)
# Decode the value based on the type of data
if isinstance(data, Decoder):
decoder = data.__class__
else:
decoder = self.type_decoders.get(data.__class__) or decode_default
decoded_value = decoder(self.value)
if self.operator == "=":
return EvaluationResult(decoded_value == data, keyval)
elif self.operator == "<":
return EvaluationResult(data < decoded_value, keyval)
elif self.operator == ">":
return EvaluationResult(data > decoded_value, keyval)
elif self.operator == "~=":
return EvaluationResult(decoded_value in data, keyval)
class BoolNot(object):
def __init__(self, t):
self.op, self.args = t[0]
def __repr__(self):
return "NOT({})".format(self.args)
def evaluate(self, flow):
return ~self.args.evaluate(flow)
class BoolAnd(object):
def __init__(self, pattern):
self.args = pattern[0][0::2]
def __repr__(self):
return "AND({})".format(self.args)
def evaluate(self, flow):
return reduce(and_, [arg.evaluate(flow) for arg in self.args])
class BoolOr(object):
def __init__(self, pattern):
self.args = pattern[0][0::2]
def evaluate(self, flow):
return reduce(or_, [arg.evaluate(flow) for arg in self.args])
def __repr__(self):
return "OR({})".format(self.args)
class OFFilter(object):
"""OFFilter represents an Open vSwitch Flow Filter.
It is built with a filter expression string composed of logically-separated
clauses (see ClauseExpression for details on the clause syntax).
Args:
expr(str): String filter expression.
"""
w = pp.Word(pp.alphanums + "." + ":" + "_" + "/" + "-")
operators = (
pp.Literal("=")
| pp.Literal("~=")
| pp.Literal("<")
| pp.Literal(">")
| pp.Literal("!=")
)
clause = (w + operators + w) | w
clause.setParseAction(ClauseExpression)
statement = pp.infixNotation(
clause,
[
("!", 1, pp.opAssoc.RIGHT, BoolNot),
("not", 1, pp.opAssoc.RIGHT, BoolNot),
("&&", 2, pp.opAssoc.LEFT, BoolAnd),
("and", 2, pp.opAssoc.LEFT, BoolAnd),
("||", 2, pp.opAssoc.LEFT, BoolOr),
("or", 2, pp.opAssoc.LEFT, BoolOr),
],
)
def __init__(self, expr):
self._filter = self.statement.parseString(expr)
def evaluate(self, flow):
"""Evaluate whether the flow satisfies the filter.
Args:
flow(Flow): a openflow or datapath flow.
Returns:
An EvaluationResult with the result of the evaluation.
"""
return self._filter[0].evaluate(flow)
|
