Quantum-generic-firewall
- Git Branch: https://github.com/locaweb/quantum
Handling layer 3
<<TableOfContents()>>
Abstract
The idea behind this blueprint is to extend quantum to provide a generic interface to control datacenter firewalls
Design
|alt L3 Firewalls and DHCPs Design
Summary
Agents are running on firewalls to execute the proper work dictated by quantum via amqp: The firewall plugin is currently working with linux, but the data model should be usable with any firewall regarding the agent development
Firewall
Firewall agent run o top of linux firewall server, each ip has its own firewall policy for input and output traffic and you can also enforce a range or network policy to each one which will prevail over the bottom level policy, according to the follow hierarchy: network > vlan > range > ip
Proposed Quantum API Operations
Policies
Create Policy
Creating a Policy should be done directly associated with the network entity. Quantum should handle which firewalls would process the policy, based on the provided dst address (or send to all firewall in the network if no dst address is provided - network policy), validating if the dst is configured in the network (IP or Range). The default firewall policy we are working with is DROP, so the policies you should add are to ALLOW the packages.
Request:
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml
#!highlight xml
<policy>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst_port>80</dst_port>
</policy>
Response:
#!highlight xml
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst_port>80</dst_port>
</policy>
List Policies
Request:
GET /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml
Response:
#!highlight xml
<policies>
<!-- network policy -->
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst_port>80</dst_port>
</policy>
<!-- vlan policy -->
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633858<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst>192.168.1.0/25</dst>
<dst_port>8081</dst_port>
</policy>
<!-- range policy -->
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633856<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst>192.168.1.0/24</dst>
<dst_port>8080</dst_port>
</policy>
<!-- ip policy -->
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633857<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst>192.168.1.3</dst>
<dst_port>8000</dst_port>
</policy>
</policy>
Delete Policy
Request:
DELETE /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies/98017ddc-efc8-4c25-a915-774b2a633855.xml
Vlans
Describes Vlans associated with a network.
Create Vlan/Associate with a network'
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/vlan.xml
#!highlight xml <vlan> <name>vl-smtp-01</name> </vlan>
Ranges
Describes IP ranges associated with a vlan. Quantum should validade if the range isn't conflicting with any range associated with the vlan.
Create Range/Associate with a vlan
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/vlan/98017ddc-efc8-4c25-a915-774b2a633858/ranges.xml
#!highlight xml <ip_range> <address>192.168.0.0/24</address> </ip_range>
IPs
Describes which IPs are allowed in a network's port. Quantum should validade if the network is compatible with a range that may contain the IP.
Create IP
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ports/98017ddc-efc8-4c25-a915-774b2a633855/ips.xml
#!highlight xml <ip> <address>192.168.0.3</address> </ip>
(Contact: Willian Molinari (PotHix), Thiago Morello, Juliano Martinez(ncode)) <
>
