SDEWAN is implemented as CNF based on OpenWRT and it will support below functionalities:
- Export Restful API interface to support configuration of MWAN3, Firewall & NAT, IpSec.
- Site-to-Site tunnels across edges & edges & central orchestrators and application managers
SDEWAN Service
SDEWAN service restful API provides the capability to list available SDEWAN services, get service status and execute service operation.
Common Error code:
| Code | Description |
|---|---|
| 400 | Bad request |
| 401 | unauthorized -the security token is not provides or expired. |
| 404 | resource not found |
Error Response:
| Name | In | Type | Description |
|---|---|---|---|
| message | body | string | error message |
GET /cgi-bin/luci/sdewan/v1/services
Lists all available sdewan services supported by SDEWAN CNF
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description services body array a list of supported service - Response Example
{
"services": ["mwan3", "firewall", "ipsec"]
}
PUT /cgi-bin/luci/sdewan/v1/service/{service}/
Execute a operation for a service
Request:
Request Parameters
Name In Type Description service path string service name, valid value are "mwan3", "firewall", "ipsec" action body string action to be executed. valid value are "start", "stop", "restart", "reload" Response Example
{
"action": "start"
}
Response
- Normal response code: 200
- Error response code: 400 (e.g. invalid action)
Response Parameters
Name In Type Description result body string operation execution result Response Example
{
"result": "success"
}
MWAN3
OpenWRT MWAN3 configuration includes below sections:
- Global: common configuration special used to configure routable loopback address (for OpenWRT 18.06)
- Interface: define how each WAN interface is tested for up/down status
- Member: represents an interface with a metric and a weight value
- Policy: defines how traffic is routed through the different WAN interface(s)
- Rule: describes what traffic to match and what policy to assign for that traffic.
SDEWAN CNF will be created with Global and Interface sections initialized based on CNF allocated interfaces.
SD-EWAN MWAN3 CNF API provides support to get/create/update/delete MWAN3 Rule, Policy (with Member).
MWAN3 Policy
GET /cgi-bin/luci/sdewan/mwan3/v1/policies
Lists all defined policies
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description policies body array a list of defined policies - Response Example
{
"policies": [{
"name":"balanced",
"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
]
}
GET /cgi-bin/luci/sdewan/mwan3/v1/policy/{policy}
Get a policy
Request: N/A
Request Parameters
Name In Type Description policy path string policy name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string policy name members body array policy members interface body string member interface name metric body int (optional) default: 1, members within one policy with a lower metric have precedence over higher metric members weight body int (optional) default: 1, members with same metric will distribute load based on this weight value - Response Example
{
"name": "balanced",
"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
POST /cgi-bin/luci/sdewan/mwan3/v1/policy
create a new policy
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/mwan3/v1/policy/{policy}
update a policy
Request:
Request Parameters:
Name In Type Description policy path string policy name members body array policy members interface body string member interface name metric body int (optional) default: 1, members within one policy with a lower metric have precedence over higher metric members weight body int (optional) default: 1, members with same metric will distribute load based on this weight value - Request Example
{
"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/mwan3/v1/policy/{policy}
delete a policy
Request:
Request Parameters
Name In Type Description policy path string policy name
Response
- Normal response codes: 200
- Error response codes: 401, 404
MWAN3 Rule
GET /cgi-bin/luci/sdewan/mwan3/v1/rules
Lists all defined rules
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description rules body array a list of defined rules - Response Example
{
"rules": [{
"name":"default_rule",
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}
]
}
GET /cgi-bin/luci/sdewan/mwan3/v1/rule/{rule}
Get a rule
Request: N/A
Request Parameters
Name In Type Description rule path string rule name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string rule name policy body string policy used for the rule src_ip body string (optional) source ip address src_port body string (optional) source port or port range dest_ip body string (optional) destination ip address dest_port body string (optional) destination port or port range proto body string (optional) protocol for the rule. Valid values: "tcp", "udp", "icmp", "all" family body string (optional) address family. Valid values: "ipv4", "ipv6", "all" sticky body string (optional) default: 0, allow traffic from the same source ip address within the timeout limit to use same wan interface as prior session timeout body int (optional) default: 600, Stickiness timeout value in seconds - Response Example
{
"name":"default_rule",
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}
POST /cgi-bin/luci/sdewan/mwan3/v1/rule
create a new rule
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/mwan3/v1/rule/{rule}
update a policy
Request:
Request Parameters
Name In Type Description rule path string rule name policy body string policy used for the rule src_ip body string (optional) source ip address src_port body string (optional) source port or port range dest_ip body string (optional) destination ip address dest_port body string (optional) destination port or port range proto body string (optional) protocol for the rule. Valid values: "tcp", "udp", "icmp", "all" family body string (optional) address family. Valid values: "ipv4", "ipv6", "all" sticky body string (optional) default: 0, allow traffic from the same source ip address within the timeout limit to use same wan interface as prior session timeout body int (optional) default: 600, Stickiness timeout value in seconds - Request Example
{
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/mwan3/v1/rule/{rule}
delete a rule
Request:
Request Parameters
Name In Type Description rule path string rule name
Response
- Normal response codes: 200
- Error response codes: 401, 404
Firewall
OpenWRT Firewall configuration includes below sections:
- Default: declares global firewall settings which do not belong to specific zones
- Include: used to enable customized firewall scripts
- Zone: groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects.
- Forwarding: control the traffic between zones
- Redirect: defines port forwarding (NAT) rules
- Rule: defines basic accept, drop, or reject rules to allow or restrict access to specific ports or hosts.
SDEWAN CNF will be created with Default sections initialized. Include section will not be included in this release.
SD-EWAN Firewall API provides support to get/create/update/delete Firewall Zone, Redirect, Rule and Forwardings
Zone
GET /cgi-bin/luci/sdewan/firewall/v1/zones
Lists all defined zones
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description zones body array a list of defined zones - Response Example
{
"zones": [{
"name":"wan",
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1"
}
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/zone/{zone}
Get a zone
Request: N/A
Request Parameters
Name In Type Description zone path string zone name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string (Required) zone name network body array List of interfaces attached to this zone masq body boolean Specifies whether outgoing zone traffic should be masqueraded. "0" or "1" masq_src body string Limit masquerading to the given source subnets. masq_dest body string Limit masquerading to the given destination subnets masq_allow_invalid body boolean whether add DROP INVALIDrulesmtu_fix body boolean Enable MSS clamping for outgoing zone traffic input body string Default policy ( ACCEPT,REJECT,DROP) for incoming zone traffic.forward body string Default policy ( ACCEPT,REJECT,DROP) for forwarded zone traffic.output body string Default policy ( ACCEPT,REJECT,DROP) for output zone traffic.family body string The protocol family ( ipv4,ipv6orany) these iptables rules are for.subnet body string List of IP subnets attached to this zone extra_src body string Extra arguments passed directly to iptables for source classification rules. etra_dest body string Extra arguments passed directly to iptables for destination classification rules. - Response Example
{
"name":"wan",
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1",
}
POST /cgi-bin/luci/sdewan/firewall/v1/zone
create a new zone
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/firewall/v1/zone/{zone}
update a zone
Request:
Request Parameters:
Name In Type Description zone path string zone name {other params} body same with GET response - Request Example
{
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/firewall/v1/zone/{zone}
delete a zone
Request:
Request Parameters
Name In Type Description zone path string zone name
Response
- Normal response codes: 200
- Error response codes: 401, 404
Redirect
GET /cgi-bin/luci/sdewan/firewall/v1/redirects
Lists all defined redirects
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description redirects body array a list of defined redirects - Response Example
{
"redirects": [{
"name":"DNAT-LAN",
"src":"wan",
"src_dport":"19900",
"dest":"lan",
"dest_ip":"192.168.1.1",
"dest_port":"22",
"proto":"tcp",
"target":"DNAT"}
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/redirect/{redirect}
Get a redirect
Request: N/A
Request Parameters
Name In Type Description redirect path string redirect name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string (Required) forwarding name src body string (Required) traffic source zone dest body string (Required) traffic destination zone family body string Protocol family ( ipv4,ipv6orany) to generate iptables rules for.- Response Example
{
"name":"DNAT-LAN",
"src":"wan",
"src_dport":"19900",
"dest":"lan",
"dest_ip":"192.168.1.1",
"dest_port":"22",
"proto":"tcp",
"target":"DNAT"}
POST /cgi-bin/luci/sdewan/firewall/v1/redirect
create a new redirect
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/firewall/v1/redirect/{redirect}
update a redirect
Request:
Request Parameters:
Name In Type Description redirect path string redirect name {other params} body same with GET response - Request Example
{
"src":"wan",
"src_dport":"19900",
"dest":"lan",
"dest_ip":"192.168.1.1",
"dest_port":"22",
"proto":"tcp",
"target":"DNAT"}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/firewall/v1/redirect/{redirect}
delete a redirect rule
Request:
Request Parameters
Name In Type Description redirect path string redirect name
Response
- Normal response codes: 200
- Error response codes: 401, 404
Rule
GET /cgi-bin/luci/sdewan/firewall/v1/rules
Lists all defined rules
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description rules body array a list of defined rules - Response Example
{
"rules": [{
"name":"REJECT_LAN_80"
"src":"lan",
"src_ip": "192.168.1.2",
"src_port": "80",
"proto":"tcp",
"target":"REJECT"
}
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/rule/{rule}
Get a rule
Request: N/A
Request Parameters
Name In Type Description rule path string rule name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string (Required) forwarding name src body string (Required) traffic source zone dest body string (Required) traffic destination zone family body string Protocol family ( ipv4,ipv6orany) to generate iptables rules for.- Response Example
{
"name":"REJECT_LAN_80"
"src":"lan",
"src_ip": "192.168.1.2",
"src_port": "80",
"proto":"tcp",
"target":"REJECT"
}
POST /cgi-bin/luci/sdewan/firewall/v1/rule
create a new rule
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/firewall/v1/rule/{rule}
update a rule
Request:
Request Parameters:
Name In Type Description rule path string rule name {other params} body same with GET response - Request Example
{
"src":"lan",
"src_ip": "192.168.1.2",
"src_port": "80",
"proto":"tcp",
"target":"REJECT"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/firewall/v1/rule/{rule}
delete a firewall rule
Request:
Request Parameters
Name In Type Description rule path string rule name
Response
- Normal response codes: 200
- Error response codes: 401, 404
Forwarding
GET /cgi-bin/luci/sdewan/firewall/v1/forwardings
Lists all defined forwardings
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description forwardings body array a list of defined forwardings - Response Example
{
"forwardings": [{
"name":"lan-wan",
"src":"lan",
"dest": "wan"
}
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/forwarding/{forwarding}
Get a forwarding
Request: N/A
Request Parameters
Name In Type Description forwarding path string forwarding name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string (Required) forwarding name src body string (Required) traffic source zone dest body string (Required) traffic destination zone family body string Protocol family ( ipv4,ipv6orany) to generate iptables rules for.- Response Example
{
"name":"lan-wan",
"src":"lan",
"dest": "wan"
}
POST /cgi-bin/luci/sdewan/firewall/v1/forwarding
create a new forwarding
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/firewall/v1/forwarding/{forwarding}
update a forwarding
Request:
Request Parameters:
Name In Type Description forwarding path string forwarding name {other params} body same with GET response - Request Example
{
"src":"lan",
"dest": "wan"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/firewall/v1/forwarding/{forwarding}
delete a forwarding rule
Request:
Request Parameters
Name In Type Description forwarding path string forwarding name
Response
- Normal response codes: 200
- Error response codes: 401, 404