|
|
Line 1: |
Line 1: |
− | === FWaaS DVR ===
| |
− | With DVR we can have flows being asymmetric with respect to a router. FWaaS implemented as iptables relies on seeing both sides of a flow for stateful inspection. DVR introduces some additional network namespaces to deal with different aspects of a traffic flow. The initial target being attempted is to ensure that FWaaS can be applied on North - South (N - S) traffic flows correctly. This will get us perimeter firewall support.
| |
| | | |
− | The changes ensure that FWaaS rules are applied on the correct network Namespace on the Network node as well as on the Compute node. FWaaS support for East - West traffic is not being addressed at this time.
| |
− |
| |
− | [https://blueprints.launchpad.net/neutron/+spec/neutron-dvr-fwaas FWaaS DVR Blueprint]
| |
− |
| |
− | [https://review.openstack.org/106225 FWaaS DVR Spec]
| |
− |
| |
− | [https://review.openstack.org/113359 FWaaS DVR Patch]
| |
− |
| |
− | === FWaaS DVR Migration ===
| |
− | centralized to distributed there will be a check inside plugin to throw an exception if a firewall has been configured
| |
− | this requires helper to know if there is a firewall configured
| |
− |
| |
− | Mix of centralized and distributed routers and migrating to a different types, although this might work
| |
− | the behavior is not yet known and our initial target is tackle the limited transitions
| |
− | from centralized to distributed
| |
− |
| |
− | distributed to centralized there needs to a check inside plugin to throw an exception if a firewall has been configured
| |
− | this requires helper to know if there is a firewall configured, although this case is not the likely one to be addressed.
| |
− |
| |
− | === FWaaS DVR Setup ===
| |
− | single node setup requires following changes to localrc
| |
− | Q_PLUGIN=ml2
| |
− | Q_ML2_TENANT_NETWORK_TYPE=vxlan
| |
− | Q_DVR_MODE=dvr_snat
| |
− |
| |
− | sample name space created:
| |
− | qdhcp-de6d0488-b95f-48b6-93e9-5ab7c0c96e1d
| |
− | qdhcp-13465298-a563-4c1c-88f6-4c1abc26dbac
| |
− | snat-0391ee86-08ea-4186-ac00-6f550554e4e7
| |
− | qrouter-0391ee86-08ea-4186-ac00-6f550554e4e7
| |