#!/usr/bin/python

# CS 6250 Spring 2023- SDN Firewall Project with POX

# build hackers-44

import pox.lib.packet as pkt

import pox.openflow.libopenflow_01 as of

from pox.lib.addresses import EthAddr

from pox.lib.revent import *

# You may use this space before the firewall_policy_processing function to add any extra function that you

# may need to complete your firewall implementation.  No additional functions "should" be required to complete

# this assignment.

def firewall_policy_processing(policies):

    '''

    This is where you are to implement your code that will build POX/Openflow Match and Action operations to

    create a dynamic firewall meeting the requirements specified in your configure.pol file.  Do NOT hardcode

    the IP/MAC Addresses/Protocols/Ports that are specified in the project description - this code should use

    the values provided in the configure.pol to implement the firewall.

    The policies passed to this function is a list of dictionary objects that contain the data imported from the

    configure.pol file.  The policy variable in the "for policy in policies" represents a single line from the

    configure.pol file.  Each of the configuration values are then accessed using the policy['field'] command.

    The fields are:  'rulenum','action','mac-src','mac-dst','ip-src','ip-dst','ipprotocol','port-src','port-dst',

    'comment'.

    Your return from this function is a list of flow_mods that represent the different rules in your configure.pol file.

    Implementation Hints:

    The documentation for the POX controller is available at https://noxrepo.github.io/pox-doc/html .  This project

    is using the gar-experimental branch of POX in order to properly support Python 3.  To complete this project, you

    need to use the OpenFlow match and flow_modification routines (https://noxrepo.github.io/pox-doc/html/#openflow-messages

    for flow_mod and https://noxrepo.github.io/pox-doc/html/#match-structure for match.)  Also, do NOT wrap IP Addresses with

    IPAddr() unless you reformat the CIDR notation.  Look at the https://github.com/att/pox/blob/master/pox/lib/addresses.py

    for what POX is expecting as an IP Address.

    '''

    rules = []

    for policy in policies:

        # Enter your code here to implement matching and block/allow rules. See the links

        # in Implementation Hints on how to do this.

        # HINT: Think about how to use the priority in your flow modification.

        rule_match = of.ofp_match()

        if policy.get('mac-src') and policy.get('mac-src') != "-":

            rule_match.dl_src = EthAddr(policy.get('mac-src'))

        if policy.get('mac-dst') and policy.get('mac-dst') != "-":

            rule_match.dl_dst = EthAddr(policy.get('mac-dst'))

        if policy.get('ip-src') and policy.get('ip-src') != "-":

            rule_match.nw_src = policy.get('ip-src')

        if policy.get('ip-dst') and policy.get('ip-dst') != "-":

            rule_match.nw_dst = policy.get('ip-dst')

        if policy.get('ipprotocol') and policy.get('ipprotocol') != "-":

            rule_match.nw_proto = int(policy.get('ipprotocol'))

        if policy.get('port-src') and policy.get('port-src') != "-":

            rule_match.tp_src = int(policy.get('port-src'))

        if policy.get('port-dst') and policy.get('port-dst') != "-":

            rule_match.tp_dst = int(policy.get('port-dst'))

        rule_match.dl_type = 0x800

        rule = of.ofp_flow_mod()

        rule.match = rule_match

        action = policy.get('action')

        if action == 'Block':

            rule.priority = 0

        elif action == "Allow":

            rule.actions.append(of.ofp_action_output(port=of.OFPP_CONTROLLER))

            rule.priority = 50000

        # End Code Here

        print('Added Rule ', policy['rulenum'],': ', policy['comment'])

        rules.append(rule)

    return rules