--- /dev/null
+# vFirewall ONAP Use Case
+
+This use case is composed of three virtual functions (VFs) running in
+separate Ubuntu Virtual Machines:
+
+ * [Packet generator][1]: Sends packets to the packet sink through the
+firewall. This includes a script that periodically generates different
+volumes of traffic.
+ * [Firewall][2]: Reports the volume of traffic passing though to the
+ONAP DCAE collector.
+ * [Traffic sink][3]: Displays the traffic volume that lands at the sink
+VM using the link http://192.168.20.250:667 through your browser
+and enable automatic page refresh by clicking the "Off" button. You
+can see the traffic volume in the charts.
+
+
+
+## Adjust packet generator:
+
+The packet generator contains 10 streams: fw\_udp1, fw\_udp2,
+fw\_udp3, . . . , fw\_udp10. Each stream generates 100 packets every
+10 seconds. The */opt/run\_traffic\_fw\_demo.sh* script on the packet
+generator VM starts automatically and alternates high traffic (i.e.
+10 active streams at the same time) and low traffic (1 active stream)
+every 5 minutes.
+
+To enable a stream, include `{"id":"fw_udp1", "is-enabled":"true"}`
+in the *pg-stream* bracket.
+
+To adjust the traffic volume produced by the packet generator, run the
+following command in a shell:
+
+```
+ curl -X PUT \
+ -H "Authorization: Basic YWRtaW46YWRtaW4=" \
+ -H "Content-Type: application/json" \
+ -H "Cache-Control: no-cache" \
+ -d '{"pg-streams":{"pg-stream": [{"id":"fw_udp1", "is-enabled":"true"},{"id":"fw_udp2", "is-enabled":"true"},{"id":"fw_udp3", "is-enabled":"true"},{"id":"fw_udp4", "is-enabled":"true"},{"id":"fw_udp5", "is-enabled":"true"}]}}' \
+ "http://192.168.10.200:8183/restconf/config/sample-plugin:sample-plugin/pg-streams"
+```
+
+The command above enables 5 streams.
+
+## License
+
+Apache-2.0
+
+[1]: packetgen
+[2]: firewall
+[3]: sink
--- /dev/null
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+vars = {
+ "demo_artifacts_version" => "1.3.0",
+ 'vfw_private_ip_0' => '192.168.10.100',
+ 'vfw_private_ip_1' => '192.168.20.100',
+ 'vfw_private_ip_2' => '10.10.100.2',
+ 'vpg_private_ip_0' => '192.168.10.200',
+ 'vpg_private_ip_1' => '10.0.100.3',
+ 'vsn_private_ip_0' => '192.168.20.250',
+ 'vsn_private_ip_1' => '10.10.100.4',
+ 'dcae_collector_ip' => '10.0.4.1',
+ 'dcae_collector_port' => '8081',
+ 'protected_net_gw' => '192.168.20.100',
+ 'protected_net_cidr' => '192.168.20.0/24',
+ 'protected_private_net_cidr' => '192.168.10.0/24',
+ 'onap_private_net_cidr' => '10.10.0.0/16'
+}
+
+if ENV['no_proxy'] != nil or ENV['NO_PROXY']
+ $no_proxy = ENV['NO_PROXY'] || ENV['no_proxy'] || "127.0.0.1,localhost"
+ $subnet = "192.168.121"
+ # NOTE: This range is based on vagrant-libivirt network definition
+ (1..27).each do |i|
+ $no_proxy += ",#{$subnet}.#{i}"
+ end
+end
+
+Vagrant.configure("2") do |config|
+ config.vm.box = "elastic/ubuntu-16.04-x86_64"
+
+ if ENV['http_proxy'] != nil and ENV['https_proxy'] != nil
+ if not Vagrant.has_plugin?('vagrant-proxyconf')
+ system 'vagrant plugin install vagrant-proxyconf'
+ raise 'vagrant-proxyconf was installed but it requires to execute again'
+ end
+ config.proxy.http = ENV['http_proxy'] || ENV['HTTP_PROXY'] || ""
+ config.proxy.https = ENV['https_proxy'] || ENV['HTTPS_PROXY'] || ""
+ config.proxy.no_proxy = $no_proxy
+ end
+
+ config.vm.provider 'libvirt' do |v|
+ v.cpu_mode = 'host-passthrough' # DPDK requires Supplemental Streaming SIMD Extensions 3 (SSSE3)
+ end
+
+ config.vm.define :packetgen do |packetgen|
+ packetgen.vm.hostname = "packetgen"
+ packetgen.vm.provision 'shell', path: 'packetgen', env: vars
+ packetgen.vm.network :private_network, :ip => vars['vpg_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # unprotected_private_net_cidr
+ packetgen.vm.network :private_network, :ip => vars['vpg_private_ip_1'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr
+ end
+ config.vm.define :firewall do |firewall|
+ firewall.vm.hostname = "firewall"
+ firewall.vm.provision 'shell', path: 'firewall', env: vars
+ firewall.vm.network :private_network, :ip => vars['vfw_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # unprotected_private_net_cidr
+ firewall.vm.network :private_network, :ip => vars['vfw_private_ip_1'], :type => :static, :netmask => "255.255.255.0" # protected_private_net_cidr
+ firewall.vm.network :private_network, :ip => vars['vfw_private_ip_2'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr
+ end
+ config.vm.define :sink do |sink|
+ sink.vm.hostname = "sink"
+ sink.vm.provision 'shell', path: 'sink', env: vars
+ sink.vm.network :private_network, :ip => vars['vsn_private_ip_0'], :type => :static, :netmask => "255.255.255.0" # protected_private_net_cidr
+ sink.vm.network :private_network, :ip => vars['vsn_private_ip_1'], :type => :static, :netmask => "255.255.0.0" # onap_private_net_cidr
+ end
+end
--- /dev/null
+#!/bin/bash
+# SPDX-license-identifier: Apache-2.0
+##############################################################################
+# Copyright (c) 2018
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+
+set -o nounset
+set -o pipefail
+set -o xtrace
+set -o errexit
+
+# install_dependencies() - Install required dependencies
+function install_dependencies {
+ apt-get update
+ apt-get install -y -qq wget openjdk-8-jre bridge-utils net-tools bsdmainutils make gcc libcurl4-gnutls-dev
+}
+
+# install_vpp() - Install VPP
+function install_vpp {
+ local RELEASE=".stable.1609"
+
+ apt-get update
+ apt-get install -y -qq apt-transport-https
+ echo "deb [trusted=yes] https://nexus.fd.io/content/repositories/fd.io$RELEASE.ubuntu.$(lsb_release -c -s).main/ ./" | tee -a /etc/apt/sources.list.d/99fd.io.list
+ apt-get update
+ apt-get install -y -qq vpp vpp-lib vpp-plugins vpp-dpdk-dkms
+}
+
+function _untar_url {
+ local repo_url="https://nexus.onap.org/content/repositories/staging/org/onap/demo/vnf/"
+ local file_subpath=$1
+
+ wget -q -O tmp_file.tar.gz "${repo_url}/${file_subpath}"
+ sha1=$(wget ${repo_url}/${file_subpath}.sha1 -q -O -)
+ if [[ $(sha1sum tmp_file.tar.gz | awk '{print $1}') != "$sha1" ]]; then
+ echo "The downloaded file is corrupted"
+ exit 1
+ fi
+ tar -zmxf tmp_file.tar.gz
+ rm tmp_file.tar.gz
+}
+
+# install_vfw_scripts() -
+function install_vfw_scripts {
+ local version=$(cat /opt/config/demo_artifacts_version.txt)
+ local ves_path=VES
+ local ves_reporting_path="${ves_path}/evel/evel-library"
+
+ pushd /opt
+ wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_firewall_init,vfirewall}.sh
+ chmod +x *.sh
+
+ _untar_url "sample-distribution/${version}/sample-distribution-${version}-hc.tar.gz"
+ mkdir -p honeycomb
+ mv sample-distribution-$version honeycomb
+
+ _untar_url "ves5/ves/${version}/ves-${version}-demo.tar.gz"
+ mv ves-$version $ves_path
+
+ _untar_url "ves5/ves_vfw_reporting/${version}/ves_vfw_reporting-${version}-demo.tar.gz"
+ mkdir -p $ves_reporting_path/code
+ mv ves_vfw_reporting-$version $ves_reporting_path/code/VESreporting
+
+ chmod +x $ves_reporting_path/code/VESreporting/go-client.sh
+ pushd $ves_reporting_path/bldjobs/
+ make clean
+ make
+ sleep 1
+ popd
+
+ # TODO(electrocucaracha) Fix it in upstream
+ sed -i 's/start vpp/systemctl start vpp/g' v_firewall_init.sh
+ mv vfirewall.sh /etc/init.d
+ update-rc.d vfirewall.sh defaults
+ systemctl start firewall
+ popd
+}
+
+mkdir -p /opt/config/
+echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt
+echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt
+echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt
+echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt
+echo "$dcae_collector_ip" > /opt/config/dcae_collector_ip.txt
+echo "$dcae_collector_port" > /opt/config/dcae_collector_port.txt
+
+echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf
+sysctl -p
+
+install_dependencies
+install_vpp
+install_vfw_scripts
--- /dev/null
+#!/bin/bash
+# SPDX-license-identifier: Apache-2.0
+##############################################################################
+# Copyright (c) 2018
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+
+set -o nounset
+set -o pipefail
+set -o xtrace
+set -o errexit
+
+# install_dependencies() - Install required dependencies
+function install_dependencies {
+ apt-get update
+ apt-get install -y -qq wget openjdk-8-jre bridge-utils net-tools bsdmainutils
+}
+
+# install_vpp() - Install VPP
+function install_vpp {
+ local RELEASE=".stable.1609"
+
+ apt-get update
+ apt-get install -y -qq apt-transport-https
+ echo "deb [trusted=yes] https://nexus.fd.io/content/repositories/fd.io$RELEASE.ubuntu.$(lsb_release -c -s).main/ ./" | tee -a /etc/apt/sources.list.d/99fd.io.list
+ apt-get update
+ apt-get install -y -qq vpp vpp-lib vpp-plugins vpp-dpdk-dkms
+}
+
+function _untar_url {
+ local repo_url="https://nexus.onap.org/content/repositories/staging/org/onap/demo/vnf/"
+ local file_subpath=$1
+
+ wget -q -O tmp_file.tar.gz "${repo_url}/${file_subpath}"
+ sha1=$(wget ${repo_url}/${file_subpath}.sha1 -q -O -)
+ if [[ $(sha1sum tmp_file.tar.gz | awk '{print $1}') != "$sha1" ]]; then
+ echo "The downloaded file is corrupted"
+ exit 1
+ fi
+ tar -zmxf tmp_file.tar.gz
+ rm tmp_file.tar.gz
+}
+
+# install_vfw_scripts() -
+function install_vfw_scripts {
+ local version=$(cat /opt/config/demo_artifacts_version.txt)
+
+ pushd /opt
+ wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_packetgen_init,vpacketgen,run_traffic_fw_demo}.sh
+ chmod +x *.sh
+
+ _untar_url "sample-distribution/${version}/sample-distribution-${version}-hc.tar.gz"
+ mv sample-distribution-$version honeycomb
+
+ _untar_url "vfw/vfw_pg_streams/$version/vfw_pg_streams-$version-demo.tar.gz"
+ mv vfw_pg_streams-$version pg_streams
+
+ sed -i 's/"restconf-binding-address": "127.0.0.1",/"restconf-binding-address": "0.0.0.0",/g' /opt/honeycomb/config/honeycomb.json
+
+ # TODO(electrocucaracha) Fix it in upstream
+ sed -i 's/start vpp/systemctl start vpp/g' v_packetgen_init.sh
+ sed -i 's|/opt/honeycomb/sample-distribution-\$VERSION/honeycomb|/opt/honeycomb/honeycomb|g' v_packetgen_init.sh
+ mv vpacketgen.sh /etc/init.d/
+ update-rc.d vpacketgen.sh defaults
+ systemctl start packetgen
+ popd
+}
+
+mkdir -p /opt/config/
+echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt
+echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt
+echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt
+echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt
+
+echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf
+sysctl -p
+
+install_dependencies
+install_vpp
+install_vfw_scripts
--- /dev/null
+#!/bin/bash
+# SPDX-license-identifier: Apache-2.0
+##############################################################################
+# Copyright (c) 2018
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+
+set -o nounset
+set -o pipefail
+set -o xtrace
+set -o errexit
+
+# install_dependencies() - Install required dependencies
+function install_dependencies {
+ apt-get update
+ apt install -y wget darkstat net-tools
+
+ # Configure and run Darkstat
+ sed -i "s/START_DARKSTAT=.*/START_DARKSTAT=yes/g;s/INTERFACE=.*/INTERFACE=\"-i eth1\"/g" /etc/darkstat/init.cfg
+
+ systemctl restart darkstat
+}
+
+# install_vfw_scripts() -
+function install_vfw_scripts {
+ pushd /opt
+ wget -q https://git.onap.org/demo/plain/vnfs/vFW/scripts/{v_sink_init,vsink}.sh
+ chmod +x *.sh
+
+ mv vsink.sh /etc/init.d
+ update-rc.d vsink.sh defaults
+ systemctl start sink
+ popd
+}
+
+mkdir -p /opt/config/
+echo "$protected_net_cidr" > /opt/config/protected_net_cidr.txt
+echo "$vfw_private_ip_0" > /opt/config/fw_ipaddr.txt
+echo "$vsn_private_ip_0" > /opt/config/sink_ipaddr.txt
+echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt
+echo "$protected_net_gw" > /opt/config/protected_net_gw.txt
+echo "$protected_private_net_cidr" > /opt/config/unprotected_net.txt
+
+install_dependencies
+install_vfw_scripts
Code Review / multicloud / k8s.git / commitdiff
