Latest revision as of 22:29, 16 February 2013

• Git Branch: https://github.com/locaweb/quantum

Handling layer 3

Abstract

The idea behind this blueprint is to extend quantum to provide a generic interface to control datacenter firewalls

Design

Summary

Agents are running on firewalls to execute the proper work dictated by quantum via amqp: The firewall plugin is currently working with linux, but the data model should be usable with any firewall regarding the agent development

Firewall

Firewall agent runs on top of linux firewall box, each ip has its own firewall policy for input and output traffic and you can also enforce a range or network policy to each one which will prevail over the bottom level policy, according to the follow hierarchy: network > vlan > range > ip

Proposed Quantum API Operations

Policies

Create Policy

Creating a Policy should be done directly associated with the network entity. Quantum should handle which firewalls would process the policy, based on the provided dst, cidr or vlan. The default firewall policy we are working with is DROP, so the policies you should add are to ALLOW the packages.

Request:

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml

<policy>
    <protocol>tcp</protocol>
    <src>0.0.0.0/0</src>
    <dst_port>80</dst_port>
</policy>

Response:

<policy> 
    <id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
    <protocol>tcp</protocol>
    <src>0.0.0.0/0</src>
    <dst_port>80</dst_port>
</policy>

List Policies

Request:

GET /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml

Response:

<policies>
    <!-- network policy -->
    <policy>
        <id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
        <protocol>tcp</protocol>
        <src>0.0.0.0/0</src>
        <dst_port>80</dst_port>
    </policy>
    <!-- vlan policy -->
    <policy> 
        <id>98017ddc-efc8-4c25-a915-774b2a633858<id/>
        <protocol>tcp</protocol>
        <src>0.0.0.0/0</src>
        <dst>vl-smtp-01</dst>
        <dst_port>8081</dst_port>
    </policy>
    <!-- range policy -->
    <policy> 
        <id>98017ddc-efc8-4c25-a915-774b2a633856<id/>
        <protocol>tcp</protocol>
        <src>0.0.0.0/0</src>
        <dst>192.168.1.0/24</dst>
        <dst_port>8080</dst_port>
    </policy>
    <!-- ip policy -->
    <policy> 
        <id>98017ddc-efc8-4c25-a915-774b2a633857<id/>
        <protocol>tcp</protocol>
        <src>0.0.0.0/0</src>
        <dst>192.168.1.3</dst>
        <dst_port>8000</dst_port>
    </policy>
</policy>

Delete Policy

Request:

DELETE /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies/98017ddc-efc8-4c25-a915-774b2a633855.xml

Devices

Describes Devices associated with a network.

Create Devices/Associate with a network

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/device.xml

<vlan>
   <name>firewall-01</name>
</vlan>

Vlans

Describes Vlans associated with a network.

Create Vlan/Associate with a network

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/vlan.xml

<vlan>
   <name>vl-smtp-01</name>
</vlan>

Attach a Vlan to device

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/device/98017ddc-efc8-4c25-a915-774b2a633859/ranges.xml

<vlan>
   <name>vl-smtp-01</name>
</vlan>

Ranges

Describes IP ranges associated with a vlan. Quantum should validade if the range isn't conflicting with any range associated with the vlan.

Create Range/Associate with a vlan

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/vlan/98017ddc-efc8-4c25-a915-774b2a633858/ranges.xml

<ip_range>
   <address>192.168.0.0/24</address>
</ip_range>

IPs

Describes which IPs are allowed in a network's port. Quantum should validade if the network is compatible with a range that may contain the IP.

Create IP

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ports/98017ddc-efc8-4c25-a915-774b2a633855/ips.xml

<ip>
   <address>192.168.0.3</address>
</ip>

(Contact: Willian Molinari (PotHix), Thiago Morello, Juliano Martinez (ncode))