Difference between revisions of "Neutron/FWaaS/FWaaS-ServiceGroup"

Latest revision as of 19:40, 27 August 2014

In FWaaS, administrator can use port range and protocol inside firewall rules to define traffic type. But we don't have a flexible way to allow user to specify more than one type of traffic in the same rule.To support different traffic type, with the same source, destination address and action, different rules need to be created. This makes the process of defining firewall rules un-scalable so a new FWaaS extension

with two resources service_group and service_object are added.

multiple service group and service objects can be configured to allow flexibility and grouping of traffic. Service objects are grouped into service group that can be referenced from other openstack modules (eg. firewall rule, securitygroup etc). currently firewall rule has multiple service groups to allow the user flexibilty to define their own groups and use them without impacting the other users. Each service object can be defined with a timeout value that can be used to overwrite default session idle timeout value.

FWaaS SVG Blueprint

FWaaS SVG Patch

SVG python-neutronclient Patch

SVG Tempest

FWaaS SVG Testing

To set up firewalls and detailed info please follow firewall testing page <https://wiki.openstack.org/wiki/Quantum/FWaaS/Testing> List of commands to facilitate data path configurations in line with current reference model

(neutron) service-group-create sgc
Created a new service_group:
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| description     |                                      |
| id              | 7bac1b2b-3c22-48da-b133-e295c8901de0 |
| name            | sgc                                  |
| service_objects |                                      |
| tenant_id       | 3e7d8af46b474c239852105b2091259e     |
+-----------------+--------------------------------------+

(neutron)  service-object-create --protocol tcp --source-port-range 10000:20000 soc sgc     
Created a new service_object:
+------------------+--------------------------------------+
| Field            | Value                                |
+------------------+--------------------------------------+
| destination_port |                                      |
| icmp_code        |                                      |
| icmp_type        |                                      |
| id               | 5a747451-7896-4d2b-90b3-d667b5306c5f |
| name             | soc                                  |
| protocol         | tcp                                  |
| source_port      | 10000:20000                          |
| tenant_id        | 3e7d8af46b474c239852105b2091259e     |
| timeout          | 0                                    |
+------------------+--------------------------------------+

(neutron)  firewall-rule-create --service-group sgc --service-group sgc1 --action allow
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | allow                                |
| description            |                                      |
| destination_ip_address |                                      |
| destination_port       |                                      |
| enabled                | True                                 |
| firewall_policy_id     |                                      |
| id                     | 7a8423bc-dcfc-4460-b423-2420437b89bf |
| ip_version             | 4                                    |
| name                   |                                      |
| position               |                                      |
| protocol               |                                      |
| shared                 | False                                |
| source_ip_address      |                                      |
| source_port            |                                      |
| tenant_id              | 3e7d8af46b474c239852105b2091259e     |
+------------------------+--------------------------------------+

Tempest Tests

Neutron API tests

Started with individual runs of the different API tests present for Neutron

Just used nosetests to run the tests individually as below:

/opt/stack/tempest$ nosetests tempest.api.network.test_service_groups.py

@@ Line 1: / Line 1: @@
-Two resources service_group and service_object are added,
+In FWaaS, administrator can use port range and protocol inside firewall rules
+to define traffic type. But we don't have a flexible way to allow user to specify more
+than one type of traffic in the same rule.To support different traffic type, with the
+same source, destination address and action, different rules need to be created.
+This makes the process of defining firewall rules un-scalable so a new FWaaS extension
+ with two resources service_group and service_object are added.
 multiple service group and service objects can be configured to
-allow flexibility and grouping of traffic, service group consists of
+allow flexibility and grouping of traffic.
-multiple service objects, admin can create multiple service groups to
+Service objects are grouped into service group that can be referenced
-provide more flexibility to tenants for using them without
-disturbing other tenants.
-due to many to many relationship between service groups and
-service objects, to associate them an association table is introduced,
-currently only service object config is the way to associate to service
-group
-The service objects are grouped into service group that can be referenced
 from other openstack modules (eg. firewall rule, securitygroup etc).
 currently firewall rule has multiple service groups to allow the
 user flexibilty to define their own groups and use them without impacting
-the other users. due to many to many relationship between service groups and
+the other users.
-firewall rules exists an association table is introduced,
 Each service object can be defined with a timeout value that can be used
 to overwrite default session idle timeout value.
+[https://review.openstack.org/#/c/94133/9/specs/juno/service-group.rst FWaaS SVG Blueprint]
+[https://review.openstack.org/#/c/106274/ FWaaS SVG Patch]
+[https://review.openstack.org/#/c/105873/ SVG python-neutronclient Patch]
+[https://review.openstack.org/#/c/113409/ SVG Tempest]
+=== FWaaS SVG Testing ===
+To set up firewalls and detailed info please follow firewall testing page
+<https://wiki.openstack.org/wiki/Quantum/FWaaS/Testing>
+List of commands to facilitate data path configurations in line with current
+reference model
+<pre><nowiki>
+(neutron) service-group-create sgc
+Created a new service_group:
++-----------------+--------------------------------------+
+| Field           | Value                                |
++-----------------+--------------------------------------+
+| description     |                                      |
+| id              | 7bac1b2b-3c22-48da-b133-e295c8901de0 |
+| name            | sgc                                  |
+| service_objects |                                      |
+| tenant_id       | 3e7d8af46b474c239852105b2091259e     |
++-----------------+--------------------------------------+
+</nowiki></pre>
+<pre><nowiki>
+(neutron)  service-object-create --protocol tcp --source-port-range 10000:20000 soc sgc
+Created a new service_object:
++------------------+--------------------------------------+
+| Field            | Value                                |
++------------------+--------------------------------------+
+| destination_port |                                      |
+| icmp_code        |                                      |
+| icmp_type        |                                      |
+| id               | 5a747451-7896-4d2b-90b3-d667b5306c5f |
+| name             | soc                                  |
+| protocol         | tcp                                  |
+| source_port      | 10000:20000                          |
+| tenant_id        | 3e7d8af46b474c239852105b2091259e     |
+| timeout          | 0                                    |
++------------------+--------------------------------------+
+</nowiki></pre>
+<pre><nowiki>
+(neutron)  firewall-rule-create --service-group sgc --service-group sgc1 --action allow
+Created a new firewall_rule:
++------------------------+--------------------------------------+
+| Field                  | Value                                |
++------------------------+--------------------------------------+
+| action                 | allow                                |
+| description            |                                      |
+| destination_ip_address |                                      |
+| destination_port       |                                      |
+| enabled                | True                                 |
+| firewall_policy_id     |                                      |
+| id                     | 7a8423bc-dcfc-4460-b423-2420437b89bf |
+| ip_version             | 4                                    |
+| name                   |                                      |
+| position               |                                      |
+| protocol               |                                      |
+| shared                 | False                                |
+| source_ip_address      |                                      |
+| source_port            |                                      |
+| tenant_id              | 3e7d8af46b474c239852105b2091259e     |
++------------------------+--------------------------------------+
+</nowiki></pre>
+== Tempest Tests ==
+=== Neutron API tests ===
+Started with individual runs of the different API tests present for Neutron
+Just used nosetests to run the tests individually as below:
+<pre><nowiki>
+/opt/stack/tempest$ nosetests tempest.api.network.test_service_groups.py
+</nowiki></pre>