Difference between revisions of "Neutron/FWaaS/FWaaS-DVR"
(Created page with "FWaaS DVR With DVR we can have flows being asymmetric with respect to a router. FWaaS implemented as iptables relies on seeing both sides of a flow for stateful inspection. DV...") |
|||
| Line 1: | Line 1: | ||
| − | FWaaS DVR | + | === FWaaS DVR === |
With DVR we can have flows being asymmetric with respect to a router. FWaaS implemented as iptables relies on seeing both sides of a flow for stateful inspection. DVR introduces some additional network namespaces to deal with different aspects of a traffic flow. The initial target being attempted is to ensure that FWaaS can be applied on North - South (N - S) traffic flows correctly. This will get us perimeter firewall support. | With DVR we can have flows being asymmetric with respect to a router. FWaaS implemented as iptables relies on seeing both sides of a flow for stateful inspection. DVR introduces some additional network namespaces to deal with different aspects of a traffic flow. The initial target being attempted is to ensure that FWaaS can be applied on North - South (N - S) traffic flows correctly. This will get us perimeter firewall support. | ||
The changes ensure that FWaaS rules are applied on the correct network Namespace on the Network node as well as on the Compute node. FWaaS support for East - West traffic is not being addressed at this time. | The changes ensure that FWaaS rules are applied on the correct network Namespace on the Network node as well as on the Compute node. FWaaS support for East - West traffic is not being addressed at this time. | ||
| − | FWaaS DVR Blueprint | + | [https://blueprints.launchpad.net/neutron/+spec/neutron-dvr-fwaas FWaaS DVR Blueprint] |
| − | FWaaS DVR Spec | + | [https://review.openstack.org/106225 FWaaS DVR Spec] |
| − | FWaaS DVR Patch | + | [https://review.openstack.org/113359 FWaaS DVR Patch] |
| − | FWaaS DVR Migration | + | === FWaaS DVR Migration === |
| − | centralized to distributed there will be a check inside plugin to throw an exception if a firewall has been configured this requires helper to know if there is a firewall configured | + | centralized to distributed there will be a check inside plugin to throw an exception if a firewall has been configured |
| + | this requires helper to know if there is a firewall configured | ||
| − | Mix of centralized and distributed routers and migrating to a different types, although this might work the behavior is not yet known and our initial target is tackle the limited transitions from centralized to distributed | + | Mix of centralized and distributed routers and migrating to a different types, although this might work |
| + | the behavior is not yet known and our initial target is tackle the limited transitions | ||
| + | from centralized to distributed | ||
| − | distributed to centralized there needs to a check inside plugin to throw an exception if a firewall has been configured this requires helper to know if there is a firewall configured, although this case is not the likely one to be addressed. | + | distributed to centralized there needs to a check inside plugin to throw an exception if a firewall has been configured |
| + | this requires helper to know if there is a firewall configured, although this case is not the likely one to be addressed. | ||
| − | FWaaS DVR Setup | + | === FWaaS DVR Setup === |
| − | single node setup requires following changes to localrc Q_PLUGIN=ml2 Q_ML2_TENANT_NETWORK_TYPE=vxlan Q_DVR_MODE=dvr_snat | + | single node setup requires following changes to localrc |
| + | Q_PLUGIN=ml2 | ||
| + | Q_ML2_TENANT_NETWORK_TYPE=vxlan | ||
| + | Q_DVR_MODE=dvr_snat | ||
| − | sample name space created: qdhcp-de6d0488-b95f-48b6-93e9-5ab7c0c96e1d qdhcp-13465298-a563-4c1c-88f6-4c1abc26dbac snat-0391ee86-08ea-4186-ac00-6f550554e4e7 qrouter-0391ee86-08ea-4186-ac00-6f550554e4e7 | + | sample name space created: |
| + | qdhcp-de6d0488-b95f-48b6-93e9-5ab7c0c96e1d | ||
| + | qdhcp-13465298-a563-4c1c-88f6-4c1abc26dbac | ||
| + | snat-0391ee86-08ea-4186-ac00-6f550554e4e7 | ||
| + | qrouter-0391ee86-08ea-4186-ac00-6f550554e4e7 | ||
Revision as of 04:04, 22 August 2014
FWaaS DVR
With DVR we can have flows being asymmetric with respect to a router. FWaaS implemented as iptables relies on seeing both sides of a flow for stateful inspection. DVR introduces some additional network namespaces to deal with different aspects of a traffic flow. The initial target being attempted is to ensure that FWaaS can be applied on North - South (N - S) traffic flows correctly. This will get us perimeter firewall support.
The changes ensure that FWaaS rules are applied on the correct network Namespace on the Network node as well as on the Compute node. FWaaS support for East - West traffic is not being addressed at this time.
FWaaS DVR Migration
centralized to distributed there will be a check inside plugin to throw an exception if a firewall has been configured this requires helper to know if there is a firewall configured
Mix of centralized and distributed routers and migrating to a different types, although this might work the behavior is not yet known and our initial target is tackle the limited transitions from centralized to distributed
distributed to centralized there needs to a check inside plugin to throw an exception if a firewall has been configured this requires helper to know if there is a firewall configured, although this case is not the likely one to be addressed.
FWaaS DVR Setup
single node setup requires following changes to localrc Q_PLUGIN=ml2 Q_ML2_TENANT_NETWORK_TYPE=vxlan Q_DVR_MODE=dvr_snat
sample name space created: qdhcp-de6d0488-b95f-48b6-93e9-5ab7c0c96e1d qdhcp-13465298-a563-4c1c-88f6-4c1abc26dbac snat-0391ee86-08ea-4186-ac00-6f550554e4e7 qrouter-0391ee86-08ea-4186-ac00-6f550554e4e7
