Jump to: navigation, search

Difference between revisions of "Neutron/FWaaS/HowToInstall"

< Neutron‎ | FWaaS
(Checkout Test branches)
(Checkout Test branches)
Line 4: Line 4:
 
== Checkout Test branches ==
 
== Checkout Test branches ==
  
Horizon:
+
* Horizon: https://review.openstack.org/#/c/38724/
https://review.openstack.org/#/c/38724/
 
 
 
Devstack
 
https://review.openstack.org/#/c/37147/
 
  
 
Please add this line on localrc
 
Please add this line on localrc

Revision as of 05:15, 3 September 2013

Installation

Checkout Test branches

Please add this line on localrc

   enable_service q-fwaas

Setup Params

  • If you used the devstack patch above, you can skip this section
  • If you did not use the devstack patch above and installed devstack from the trunk, after the installation add the following to

/etc/neutron/neutron.conf

service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin

Note: you can also add this line on localrc (before running stack.sh to get the above configuration automatically)

   Q_SERVICE_PLUGIN_CLASSES=neutron.services.firewall.fwaas_plugin.FirewallPlugin 


  • Add the following file:

/etc/neutron/fwaas_driver.ini

[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True
  • Restart the l3 agent

When you do this, you will need to provide the fwaas_driver.ini conf file as an argument as well:

cd /opt/stack/neutron && python /usr/local/bin/neutron-openvswitch-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini --config-file /etc/neutron/fwaas_driver.ini || touch "/opt/stack/status/stack/q-agt.failure"
  • Restart the neutron server

CLI/REST Walkthrough

CLI

  • To list firewalls, firewall_policies, firewall_rules:
neutron firewall-list
neutron firewall-policy-list
neutron firewall-rule-list
  • Create firewall rule:
neutron firewall-rule-create --protocol tcp --destination-port 80 --action allow
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | allow                                |
| description            |                                      |
| destination_ip_address |                                      |
| destination_port       | 80                                   |
| enabled                | True                                 |
| firewall_policy_id     |                                      |
| id                     | 1283a548-9ca8-4a7b-a187-fc21c7fefe8e |
| ip_version             | 4                                    |
| name                   |                                      |
| position               |                                      |
| protocol               | tcp                                  |
| shared                 | False                                |
| source_ip_address      |                                      |
| source_port            |                                      |
| tenant_id              | baaaf4da44874e3f82ff93beba64117e     |
+------------------------+--------------------------------------+
  • Create firewall policy with rules:
neutron firewall-policy-create --firewall-rules "1283a548-9ca8-4a7b-a187-fc21c7fefe8e ef9fe8d1-1d79-485b-9d90-d1dd4bf228b5" test-policy
Created a new firewall_policy:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| audited        | False                                |
| description    |                                      |
| firewall_rules | 1283a548-9ca8-4a7b-a187-fc21c7fefe8e |
|                | ef9fe8d1-1d79-485b-9d90-d1dd4bf228b5 |
| id             | 257f0a59-5b16-486b-aae2-b57c60e2053f |
| name           | test-policy                          |
| shared         | False                                |
| tenant_id      | baaaf4da44874e3f82ff93beba64117e     |
+----------------+--------------------------------------+
  • Create the firewall with the policy association:
neutron firewall-create 257f0a59-5b16-486b-aae2-b57c60e2053f
Created a new firewall:
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 257f0a59-5b16-486b-aae2-b57c60e2053f |
| id                 | 28530399-d8ee-4700-9685-ee5d645f4d59 |
| name               |                                      |
| status             | PENDING_CREATE                       |
| tenant_id          | baaaf4da44874e3f82ff93beba64117e     |
+--------------------+--------------------------------------+
  • Check that the firewall is in ACTIVE state before the next operation can be performed on the firewall:
neutron firewall-show 28530399-d8ee-4700-9685-ee5d645f4d59
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 257f0a59-5b16-486b-aae2-b57c60e2053f |
| id                 | 28530399-d8ee-4700-9685-ee5d645f4d59 |
| name               |                                      |
| status             | ACTIVE                               |
| tenant_id          | baaaf4da44874e3f82ff93beba64117e     |
+--------------------+--------------------------------------+
  • Delete the firewall:
neutron firewall-delete 28530399-d8ee-4700-9685-ee5d645f4d59
Deleted firewall: 28530399-d8ee-4700-9685-ee5d645f4d59

REST calls using curl:

export q_url=http://<neutron-server-ip>:9696/v2.0

for example

   export q_url=http://127.0.0.1:9696/v2.0

and

   export auth_token=<auth_token>

where <auth_token> is the token obtained from:

   keystone token-get

or

   export auth_token=`keystone token-get | awk '/id/{print $4}' | head -n1`
  • To list firewalls, firewall_policies, firewall_rules:
   curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewalls | python -mjson.tool
   curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewall_policies | python -mjson.tool
   curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewall_rules | python -mjson.tool
  • Create firewall rule:
   curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_rule": {"protocol": "tcp", "destination_port": "80", "action": "allow"}}' $q_url/fw/firewall_rules
  • Create firewall policy:
   curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_policy": {"name": "fwasspolicy"} }' $q_url/fw/firewall_policies
  • Add rule to policy (this could have been done while creating the firewall policy too):
   curl -X PUT -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_policy": {"firewall_rules": ["1d47c609-8fd1-4aad-97fd-157887c47b4f"]}}' $q_url/fw/firewall_policies/9c50d2d0-3a85-4ed7-a20f-bef8c08233e3
  • Create the firewall with the policy association:
   curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall": {"name": "fwasstest", "firewall_policy_id": "9c50d2d0-3a85-4ed7-a20f-bef8c08233e3"} }' $q_url/fw/firewalls
  • Delete the firewall:
   curl -X DELETE -H "X-Auth-Token: $auth_token" $q_url/fw/firewalls/9649548e-b87f-4c56-bbb7-5ee84b316da1