Neutron/FWaaS/FWaaS-DVR
FWaaS DVR
With DVR we can have flows being asymmetric with respect to a router. FWaaS implemented as iptables relies on seeing both sides of a flow for stateful inspection. DVR introduces some additional network namespaces to deal with different aspects of a traffic flow. The initial target being attempted is to ensure that FWaaS can be applied on North - South (N - S) traffic flows correctly. This will get us perimeter firewall support.
The changes ensure that FWaaS rules are applied on the correct network Namespace on the Network node as well as on the Compute node. FWaaS support for East - West traffic is not being addressed at this time.
FWaaS DVR Migration
centralized to distributed there will be a check inside plugin to throw an exception if a firewall has been configured this requires helper to know if there is a firewall configured
Mix of centralized and distributed routers and migrating to a different types, although this might work the behavior is not yet known and our initial target is tackle the limited transitions from centralized to distributed
distributed to centralized there needs to a check inside plugin to throw an exception if a firewall has been configured this requires helper to know if there is a firewall configured, although this case is not the likely one to be addressed.
FWaaS DVR Setup
single node setup requires following changes to localrc
Q_PLUGIN=ml2
Q_ML2_TENANT_NETWORK_TYPE=vxlan
Q_DVR_MODE=dvr_snat
sample name space created:
qdhcp-de6d0488-b95f-48b6-93e9-5ab7c0c96e1d
qdhcp-13465298-a563-4c1c-88f6-4c1abc26dbac
snat-0391ee86-08ea-4186-ac00-6f550554e4e7
qrouter-0391ee86-08ea-4186-ac00-6f550554e4e7
Testing
Manual testing testcases
- Legacy Firewall: Create FW, check qrouter namespace, Datapath test.
- Legacy Firewall: Add a router with FW present - make sure that new qrouter namespace is populated.
- DVR Single Node - Create VM, Check namespaces, Ping br-ex
- DVR Single Node - Associate Floating IP, check namespaces, ping br-ex
- DVR Single Node - create FW, check for rules in namespaces, ping br-ex for data path
- DVR Single Node - with FW, create a router, set gw, check namespace
- DVR Single Node - with FW, add router interface to (6) check namespace
- DVR Multi Node - on Compute Node - Create VM, Check namespaces, Ping br-ex
- DVR Multi Node - on Compute Node After (8), add FW, check ping to br-ex
- DVR Multi Node - on Compute Node Associate Floating IP, check namespaces
- DVR Multi Node - on Compute Node Create another subnet with a VM - ping other VM (E - W scenario)