SDEWAN is implemented as CNF based on OpenWRT and it will support below functionalities:
SDEWAN service restful API provides the capability to list available SDEWAN services, get service status and execute service operation.
Common Error code:
Code | Description |
---|---|
400 | Bad request |
401 | unauthorized -the security token is not provides or expired. |
404 | resource not found |
Error Response:
Name | In | Type | Description |
---|---|---|---|
message | body | string | error message |
PUT /cgi-bin/luci/sdewan/v1/service/{service}/
Execute a operation for a service
Request:
Request Parameters
Name | In | Type | Description |
---|---|---|---|
service | path | string | service name, valid value are "mwan3", "firewall", "ipsec" |
action | body | string | action to be executed. valid value are "start", "stop", "restart", "reload" |
Response Example
{ "action": "start" } |
---|
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
result | body | string | operation execution result |
Response Example
{ "result": "success" } |
---|
GET /cgi-bin/luci/sdewan/v1/services
Lists all available sdewan services supported by SDEWAN CNF
Request: N/A
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
services | body | array | a list of supported service |
{ "services": ["mwan3", "firewall", "ipsec"] } |
---|
OpenWRT MWAN3 configuration includes below sections:
SDEWAN CNF will be created with Global and Interface sections initialized based on CNF allocated interfaces.
SD-EWAN MWAN3 CNF API provides support to get/create/update/delete MWAN3 Rule, Policy (with Member).
POST /cgi-bin/luci/sdewan/mwan3/v1/policies
create a new policy
Request:
Request Parameters: same with PUT's response request
Response
PUT /cgi-bin/luci/sdewan/mwan3/v1/policies/{policy-name}
update a policy
Request:
Request Parameters:
Name | In | Type | Description |
---|---|---|---|
policy-name | path | string | policy name |
members | body | array | policy members |
interface | body | string | member interface name |
metric | body | int | (optional) default: 1, members within one policy with a lower metric have precedence over higher metric members |
weight | body | int | (optional) default: 1, members with same metric will distribute load based on this weight value |
PUT /cgi-bin/luci/sdewan/mwan3/v1/policies/balanced
{ "members": [ { "interface": "net1", "metric" 1, "weight": 2 } { "interface": "net2", "metric" 1, "weight": 1 } ] } |
---|
Response
GET /cgi-bin/luci/sdewan/mwan3/v1/policies
Lists all defined policies
Request: N/A
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
policies | body | array | a list of defined policies |
{ { "name":"balanced", "members": [ { "interface": "net1", "metric" 1, "weight": 2 } { "interface": "net2", "metric" 1, "weight": 1 } ] } ] |
---|
GET /cgi-bin/luci/sdewan/mwan3/v1/policies/{policy-name}
Get a policy
Request: N/A
Request Parameters
Name | In | Type | Description |
---|---|---|---|
policy-name | path | string | policy name |
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
name | body | string | policy name |
members | body | array | policy members |
interface | body | string | member interface name |
metric | body | int | (optional) default: 1, members within one policy with a lower metric have precedence over higher metric members |
weight | body | int | (optional) default: 1, members with same metric will distribute load based on this weight value |
{ "name": "balanced", "members": [ { "interface": "net1", "metric" 1, "weight": 2 } { "interface": "net2", "metric" 1, "weight": 1 } ] } |
---|
DELETE /cgi-bin/luci/sdewan/mwan3/v1/policies/{policy-name}
delete a policy
Request:
Request Parameters
Name | In | Type | Description |
---|---|---|---|
policy-name | path | string | policy name |
Response
POST /cgi-bin/luci/sdewan/mwan3/v1/rules
create a new rule
Request:
Request Parameters: same with PUT's response request
Response
PUT /cgi-bin/luci/sdewan/mwan3/v1/rules/{rule-name}
update a policy
Request:
Request Parameters
Name | In | Type | Description |
---|---|---|---|
rule-name | path | string | rule name |
policy | body | string | policy used for the rule |
src_ip | body | string | (optional) source ip address |
src_port | body | string | (optional) source port or port range |
dest_ip | body | string | (optional) destination ip address |
dest_port | body | string | (optional) destination port or port range |
proto | body | string | (optional) protocol for the rule. Valid values: "tcp", "udp", "icmp", "all" |
family | body | string | (optional) address family. Valid values: "ipv4", "ipv6", "all" |
sticky | body | string | (optional) default: 0, allow traffic from the same source ip address within the timeout limit to use same wan interface as prior session |
timeout | body | int | (optional) default: 600, Stickiness timeout value in seconds |
PUT /cgi-bin/luci/sdewan/mwan3/v1/rules/default_rule
{ "dest_ip": "0.0.0.0/0", "policy": "balanced" } |
---|
Response
GET /cgi-bin/luci/sdewan/mwan3/v1/rules
Lists all defined rules
Request: N/A
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
rules | body | array | a list of defined rules |
{ { "name":"default_rule", "dest_ip": "0.0.0.0/0", "policy": "balanced" } ] } |
---|
GET /cgi-bin/luci/sdewan/mwan3/v1/rules/{rule-name}
Get a rule
Request: N/A
Request Parameters
Name | In | Type | Description |
---|---|---|---|
rule-name | path | string | rule name |
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
name | body | string | rule name |
policy | body | string | policy used for the rule |
src_ip | body | string | (optional) source ip address |
src_port | body | string | (optional) source port or port range |
dest_ip | body | string | (optional) destination ip address |
dest_port | body | string | (optional) destination port or port range |
proto | body | string | (optional) protocol for the rule. Valid values: "tcp", "udp", "icmp", "all" |
family | body | string | (optional) address family. Valid values: "ipv4", "ipv6", "all" |
sticky | body | string | (optional) default: 0, allow traffic from the same source ip address within the timeout limit to use same wan interface as prior session |
timeout | body | int | (optional) default: 600, Stickiness timeout value in seconds |
#ipv4 example { "name":"default_rule", "dest_ip": "0.0.0.0/0", "policy": "balanced" } #ipv6 example { "name":"default_ipv6_rule", "dest_ip": "fdca:f00:ba3::/64", "policy": "balanced" } |
---|
DELETE /cgi-bin/luci/sdewan/mwan3/v1/rules/{rule-name}
delete a rule
Request:
Request Parameters
Name | In | Type | Description |
---|---|---|---|
rule-name | path | string | rule name |
Response
OpenWRT Firewall configuration includes below sections:
SDEWAN CNF will be created with Default sections initialized. Include section will not be implemented in this release.
SD-EWAN Firewall API provides support to get/create/update/delete Firewall Zone, Redirect, Rule and Forwardings
POST /cgi-bin/luci/sdewan/firewall/v1/zones
create a new zone
Request:
Request Parameters: same with PUT's response request
Response
PUT /cgi-bin/luci/sdewan/firewall/v1/zones/{zone-name}
update a zone
Request:
Request Parameters:
Name | In | Type | Description |
---|---|---|---|
zone-name | path | string | zone name |
{other params} | body | same with GET response |
PUT /cgi-bin/luci/sdewan/mwan3/v1/zones/wan
{ "network":"wan", "input": "REJECT", "output": "ACCEPT", "forward": "REJECT", "masq": "1", "mtu_fix": "1" } |
---|
Response
GET /cgi-bin/luci/sdewan/firewall/v1/zones
Lists all defined zones
Request: N/A
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
zones | body | array | a list of defined zones |
{ { "name":"wan", "network":"wan", "input": "REJECT", "output": "ACCEPT", "forward": "REJECT", "masq": "1", "mtu_fix": "1" } ] } |
---|
GET /cgi-bin/luci/sdewan/firewall/v1/zones/{zone-name}
Get a zone
Request: N/A
Request Parameters
Name | In | Type | Description |
---|---|---|---|
zone-name | path | string | zone name |
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
name | body | string | (Required) zone name |
network | body | array | List of interfaces attached to this zone |
masq | body | boolean | Specifies whether outgoing zone traffic should be masqueraded. "0" or "1" |
masq_src | body | string | Limit masquerading to the given source subnets. |
masq_dest | body | string | Limit masquerading to the given destination subnets |
masq_allow_invalid | body | boolean | whether add DROP INVALID rules |
mtu_fix | body | boolean | Enable MSS clamping for outgoing zone traffic |
input | body | string | Default policy (ACCEPT , REJECT , DROP ) for incoming zone traffic. |
forward | body | string | Default policy (ACCEPT , REJECT , DROP ) for forwarded zone traffic. |
output | body | string | Default policy (ACCEPT , REJECT , DROP ) for output zone traffic. |
family | body | string | The protocol family (ipv4 , ipv6 or any ) these iptables rules are for. |
subnet | body | string | List of IP subnets attached to this zone |
extra_src | body | string | Extra arguments passed directly to iptables for source classification rules. |
etra_dest | body | string | Extra arguments passed directly to iptables for destination classification rules. |
{ "name":"wan", "network":"wan", "input": "REJECT", "output": "ACCEPT", "forward": "REJECT", "masq": "1", "mtu_fix": "1", } |
---|
DELETE /cgi-bin/luci/sdewan/firewall/v1/zones/{zone-name}
delete a zone
Request:
Request Parameters
Name | In | Type | Description |
---|---|---|---|
zone-name | path | string | zone name |
Response
POST /cgi-bin/luci/sdewan/firewall/v1/redirects
create a new redirect
Request:
Request Parameters: same with PUT's response request
Response
PUT /cgi-bin/luci/sdewan/firewall/v1/redirects/{redirect-name}
update a redirect
Request:
Request Parameters:
Name | In | Type | Description |
---|---|---|---|
redirect-name | path | string | redirect name |
{other params} | body | same with GET response |
PUT /cgi-bin/luci/sdewan/mwan3/v1/redirects/dnat_lan
{ "src":"wan", } |
---|
Response
GET /cgi-bin/luci/sdewan/firewall/v1/redirects
Lists all defined redirects
Request: N/A
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
redirects | body | array | a list of defined redirects |
{ { "name":"dnat_lan", } ] } |
---|
GET /cgi-bin/luci/sdewan/firewall/v1/redirects/{redirect-name}
Get a redirect
Request: N/A
Request Parameters
Name | In | Type | Description |
---|---|---|---|
redirect-name | path | string | redirect name |
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
name | body | string | (Required) forwarding name |
src | body | string | (Required for DNAT) traffic source zone |
src_ip | body | string | Match incoming traffic from the specified source ip address. |
src_dip | body | string | (Required for SNAT) For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address. |
src_mac | body | string | Match incoming traffic from the specified mac address. |
src_port | body | port or range | Match incoming traffic originating from the given source port or port range on the client host. |
src_dport | body | port or range | For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value. |
proto | body | string | Match incoming traffic using the given protocol. Can be one of tcp , udp , tcpudp , udplite , icmp , esp , ah , sctp , or all |
dest | body | string | Specifies the traffic destination zone. Must refer to one of the defined zone names. |
dest_ip | body | string | For DNAT, redirect matches incoming traffic to the specified internal host. For SNAT, it matches traffic directed at the given address. |
dest_port | body | port or range | For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. |
mark | body | string | match traffic against the given firewall mark |
target | body | string | (Required) NAT target: SNAT, DNAT |
family | body | string | Protocol family (ipv4 , ipv6 or any ) to generate iptables rules for |
{ "name":"dnat_lan", } |
---|
DELETE /cgi-bin/luci/sdewan/firewall/v1/redirects/{redirect-name}
delete a redirect rule
Request:
Request Parameters
Name | In | Type | Description |
---|---|---|---|
redirect-name | path | string | redirect name |
Response
POST /cgi-bin/luci/sdewan/firewall/v1/rules
create a new rule
Request:
Request Parameters: same with PUT's response request
Response
PUT /cgi-bin/luci/sdewan/firewall/v1/rules/{rule-name}
update a rule
Request:
Request Parameters:
Name | In | Type | Description |
---|---|---|---|
rule-name | path | string | rule name |
{other params} | body | same with GET response |
PUT /cgi-bin/luci/sdewan/mwan3/v1/rules/reject_lan_80
{ "src":"lan", "src_ip": "192.168.1.2", "src_port": "80", "proto":"tcp", "target":"REJECT" } |
---|
Response
GET /cgi-bin/luci/sdewan/firewall/v1/rules
Lists all defined rules
Request: N/A
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
rules | body | array | a list of defined rules |
{ { "name":"reject_lan_80" "src":"lan", "src_ip": "192.168.1.2", "src_port": "80", "proto":"tcp", "target":"REJECT" } ] } |
---|
GET /cgi-bin/luci/sdewan/firewall/v1/rules/{rule-name}
Get a rule
Request: N/A
Request Parameters
Name | In | Type | Description |
---|---|---|---|
rule-name | path | string | rule name |
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
name | body | string | (Required) rule name |
src | body | string | (Required) traffic source zone |
src_ip | body | string | Match incoming traffic from the specified source ip address |
src_mac | body | string | Match incoming traffic from the specified mac address |
src_port | body | port or range | Match incoming traffic from the specified source port or port range |
proto | body | string | Match incoming traffic using the given protocol. Can be one of tcp , udp , tcpudp , udplite , icmp , esp , ah , sctp , or all |
icmp_type | body | string | For protocol icmp select specific icmp types to match. |
dest | body | string | traffic destination zone. Must refer to one of the defined zone names, or * for any zone |
dest_ip | body | string | Match incoming traffic directed to the specified destination ip address |
dest_port | body | port or range | Match incoming traffic directed at the given destination port or port range |
mark | body | string | If specified, match traffic against the given firewall mark |
target | body | string | (Required) Firewall action (ACCEPT , REJECT , DROP , MARK , NOTRACK ) for matched traffic |
set_mark | body | string | Zeroes out the bits given by mask and ORs value into the packet mark. |
set_xmark | body | string | Zeroes out the bits given by mask and XORs value into the packet mark |
family | body | string | Protocol family (ipv4 , ipv6 or any ) to generate iptables rules for |
extra | body | string | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec. |
{ "name":"reject_lan_80" "src":"lan", "src_ip": "192.168.1.2", "src_port": "80", "proto":"tcp", "target":"REJECT" } |
---|
DELETE /cgi-bin/luci/sdewan/firewall/v1/rules/{rule-name}
delete a firewall rule
Request:
Request Parameters
Name | In | Type | Description |
---|---|---|---|
rule-name | path | string | rule name |
Response
POST /cgi-bin/luci/sdewan/firewall/v1/forwardings
create a new forwarding
Request:
Request Parameters: same with PUT's response request
Response
PUT /cgi-bin/luci/sdewan/firewall/v1/forwardings/{forwarding-name}
update a forwarding
Request:
Request Parameters:
Name | In | Type | Description |
---|---|---|---|
forwarding-name | path | string | forwarding name |
{other params} | body | same with GET response |
PUT /cgi-bin/luci/sdewan/mwan3/v1/forwardings/lan_wan
{ "src":"lan", "dest": "wan" } |
---|
Response
GET /cgi-bin/luci/sdewan/firewall/v1/forwardings
Lists all defined forwardings
Request: N/A
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
forwardings | body | array | a list of defined forwardings |
{ { "name":"lan_wan", "src":"lan", "dest": "wan" } ] } |
---|
GET /cgi-bin/luci/sdewan/firewall/v1/forwardings/{forwarding-name}
Get a forwarding
Request: N/A
Request Parameters
Name | In | Type | Description |
---|---|---|---|
forwarding-name | path | string | forwarding name |
Response
Response Parameters
Name | In | Type | Description |
---|---|---|---|
name | body | string | (Required) forwarding name |
src | body | string | (Required) traffic source zone |
dest | body | string | (Required) traffic destination zone |
family | body | string | Protocol family (ipv4 , ipv6 or any ) to generate iptables rules for. |
{ "name":"lan_wan", "src":"lan", "dest": "wan" } |
---|
DELETE /cgi-bin/luci/sdewan/firewall/v1/forwardings/{forwarding-name}
delete a forwarding rule
Request:
Request Parameters
Name | In | Type | Description |
---|---|---|---|
forwarding-name | path | string | forwarding name |
Response