Difference between revisions of "Neutron/FWaaS/HowToInstall"
(→Checkout Test branches) |
(→Checkout Test branches) |
||
Line 12: | Line 12: | ||
Devstack | Devstack | ||
https://review.openstack.org/#/c/37147/ | https://review.openstack.org/#/c/37147/ | ||
− | |||
− | |||
Please add this line on localrc | Please add this line on localrc |
Revision as of 00:03, 25 July 2013
Contents
Installation
Checkout Test branches
API, Agent and Driver code: https://review.openstack.org/#/c/34074/
CLI: https://review.openstack.org/#/c/33187/
Devstack https://review.openstack.org/#/c/37147/
Please add this line on localrc
enable_service q-fwaas
Setup Params
- If you used the devstack patch above, you can skip this section
- If you did not use the devstack patch above and installed devstack from the trunk, after the installation add the following to
/etc/neutron/neutron.conf
service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin
Note: you can also add this line on localrc (before running stack.sh to get the above configuration automatically)
Q_SERVICE_PLUGIN_CLASSES=neutron.services.firewall.fwaas_plugin.FirewallPlugin
- Add the following file:
/etc/neutron/fwaas_driver.ini
[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True
- Restart the l3 agent
When you do this, you will need to provide the fwaas_driver.ini conf file as an argument as well:
cd /opt/stack/neutron && python /usr/local/bin/neutron-openvswitch-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini --config-file /etc/neutron/fwaas_driver.ini || touch "/opt/stack/status/stack/q-agt.failure"
- Restart the neutron server
CLI/REST Walkthough
REST calls using curl:
export q_url=http://<neutron-server-ip>:9696/v2.0
for example
export q_url=http://127.0.0.1:9696/v2.0
and
export auth_token=<auth_token>
where <auth_token> is the token obtained from:
keystone token-get
or
export auth_token=`keystone token-get | awk '/id/{print $4}' | head -n1`
- To list firewalls, firewall_policies, firewall_rules:
curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewalls | python -mjson.tool curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewall_policies | python -mjson.tool curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewall_rules | python -mjson.tool
- Create firewall rule:
curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_rule": {"protocol": "tcp", "destination_port": "80", "action": "allow"}}' $q_url/fw/firewall_rules
- Create firwall policy:
curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_policy": {"name": "fwasspolicy"} }' $q_url/fw/firewall_policies
- Add rule to policy (this could have been done while creating the firewall policy too):
curl -X PUT -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_policy": {"firewall_rules": ["1d47c609-8fd1-4aad-97fd-157887c47b4f"]}}' $q_url/fw/firewall_policies/9c50d2d0-3a85-4ed7-a20f-bef8c08233e3
- Create the firewall with the policy association:
curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall": {"name": "fwasstest", "firewall_policy_id": "9c50d2d0-3a85-4ed7-a20f-bef8c08233e3"} }' $q_url/fw/firewalls
- Delete the firewall:
curl -X DELETE -H "X-Auth-Token: $auth_token" $q_url/fw/firewalls/9649548e-b87f-4c56-bbb7-5ee84b316da1