![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
gdtPryetic:
- SDN language: express high level policies
- runtime: "compiling" those policies to OpenFlow rules
Packets have location as an attribute.
Features of Pyretic:
- Write network policy as a function. Input a packet. Return packets at differing locations.
- Boolean predicates. AND, OR, NOT. Rather than OpenFlow exceptions.
- Virtual packet header fields. Such as locations, operator-applied tags.
- Parallel and sequential composition operators.
Network policies:
- OpenFlow (match, action) bit patterns are tough to reason about.
- Pyretic policies are functions which map packets to other packets.
identity returns original packet
none returns empty set
match(f=v) returns identity if field f matches value v, otherwise none
mod(f=v) returns packet with field f set to value v
fwd(a) returns mod(outport=a)
flood() returns one packet for each port on the network spanning tree
Boolean predicates
- OpenFlow packets either match or "fall through" to next rule. Simple OR, NOT are tough
- Pryetic match() outputs the packet or nothing depending on the predicate
eg: match(dstip=10.0.0.3) | match(dstip=10.0.0.4)
Virtual packet headers
- unified way of representing packet meta-data (ingress port, etc)
- packet is a dictionary which maps a field name to a value
- match(inport=a), match(switch=T), match(dstmac=b)
- use mod() to change or add meta-data
Policy composition
- sequential. eg: match(dstip=2.2.2.8) >> fwd(1)
- parallel. eg: (match(dstip=2.2.2.8) >> fwd(1)) + (match(dstip=2.2.2.8) >> fwd(2))
Traffic monitoring
- create a query to see packet streams
eg: return first packet seen on a switch of a previously-unseen MAC address
- callbacks invoked for each match to query
Dynamic policies
- polices who's forwarding behaviour changes
- represented as a timeseries of static policies
- current value is self.policy
- common idiom: set a default policy, register query callbacks to update policy
eg: learning switch
eg: firewall
Summary
- Pyretic makes writing complex policies easy:
- network policy as function
- predicates on packets
- metadata as packet headers
- policy composition
- composition makes it easy for one module to build upon another
- SDN language: express high level policies
- runtime: "compiling" those policies to OpenFlow rules
Packets have location as an attribute.
Features of Pyretic:
- Write network policy as a function. Input a packet. Return packets at differing locations.
- Boolean predicates. AND, OR, NOT. Rather than OpenFlow exceptions.
- Virtual packet header fields. Such as locations, operator-applied tags.
- Parallel and sequential composition operators.
Network policies:
- OpenFlow (match, action) bit patterns are tough to reason about.
- Pyretic policies are functions which map packets to other packets.
identity returns original packet
none returns empty set
match(f=v) returns identity if field f matches value v, otherwise none
mod(f=v) returns packet with field f set to value v
fwd(a) returns mod(outport=a)
flood() returns one packet for each port on the network spanning tree
Boolean predicates
- OpenFlow packets either match or "fall through" to next rule. Simple OR, NOT are tough
- Pryetic match() outputs the packet or nothing depending on the predicate
eg: match(dstip=10.0.0.3) | match(dstip=10.0.0.4)
Virtual packet headers
- unified way of representing packet meta-data (ingress port, etc)
- packet is a dictionary which maps a field name to a value
- match(inport=a), match(switch=T), match(dstmac=b)
- use mod() to change or add meta-data
Policy composition
- sequential. eg: match(dstip=2.2.2.8) >> fwd(1)
- parallel. eg: (match(dstip=2.2.2.8) >> fwd(1)) + (match(dstip=2.2.2.8) >> fwd(2))
Traffic monitoring
- create a query to see packet streams
eg: return first packet seen on a switch of a previously-unseen MAC address
self.query = packets(1, ['srcmac', 'switch']) self.query.register_callback(learn_new_MAC)
- callbacks invoked for each match to query
Dynamic policies
- polices who's forwarding behaviour changes
- represented as a timeseries of static policies
- current value is self.policy
- common idiom: set a default policy, register query callbacks to update policy
eg: learning switch
pyretic.py pyretic.examples.simple_learner
eg: firewall
pyretic.py pyretic.examples.simple_firewall
Summary
- Pyretic makes writing complex policies easy:
- network policy as function
- predicates on packets
- metadata as packet headers
- policy composition
- composition makes it easy for one module to build upon another