Jump to: navigation, search

Difference between revisions of "Neutron/FWaaS/HavanaPlan"

< Neutron‎ | FWaaS
Line 20: Line 20:
 
| Devstack || https://blueprints.launchpad.net/devstack/+spec/quantum-fwaas-devstack || H3
 
| Devstack || https://blueprints.launchpad.net/devstack/+spec/quantum-fwaas-devstack || H3
 
|-
 
|-
| Documentation || Blueprint-link || H3
+
| Documentation || Admin guide: https://blueprints.launchpad.net/openstack-manuals/+spec/neutron-fwaas-deployment, API:  || H3
 
|-
 
|-
 
| Heat || https://blueprints.launchpad.net/heat/+spec/fwaas-heat || H3 (stretch goal)
 
| Heat || https://blueprints.launchpad.net/heat/+spec/fwaas-heat || H3 (stretch goal)

Revision as of 19:55, 30 July 2013

The following is the proposed plan/schedule for design and implementation of the Firewall As A Service feature in OpenStack Networking for the Havana release. While our long term goal for FWaaS is to make it very feature rich, we will follow a pragmatic path - develop in iterations, and deliver a basic experimental reference implementation that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.

Task Blueprint Milestone
API, Resource and DB Models https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas H2 (merged in H3)
FW Service Plugin https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas-plugin H2
FW Agent https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas-agent H2
FW Driver https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas-iptables-driver H2
Client library & CLI https://blueprints.launchpad.net/python-quantumclient/+spec/fwaas-client-cli H2
Horizon https://blueprints.launchpad.net/horizon/+spec/fwaas-horizon H3
Devstack https://blueprints.launchpad.net/devstack/+spec/quantum-fwaas-devstack H3
Documentation Admin guide: https://blueprints.launchpad.net/openstack-manuals/+spec/neutron-fwaas-deployment, API: H3
Heat https://blueprints.launchpad.net/heat/+spec/fwaas-heat H3 (stretch goal)
Reference Implementation

The current plan is to provide an Iptables (possibly using Ipsets) based reference backend implementation to realize the firewall rules. The Iptables configuration will be realized by an angent-driver combination that will program the Iptables rules on a gateway host. This agent will most likely be collocated with the L3 agent (possibly leveraged as a mixin class).

Firewall Mode

Based on the above deployment configuration, this reference implementation will serve as a perimeter firewall. In the future, we will extend this with firewall drivers that will allow us to demonstrate the firewall deployment in other modes (e.g. L2, bump-in-the-wire).