Difference between revisions of "Quantum-l3-firewalls-and-dhcps"
| Line 33: | Line 33: | ||
[[Media:quantum-l3-firewalls-and-dhcps$firewall.png||alt L3 Firewalls Workflow]] | [[Media:quantum-l3-firewalls-and-dhcps$firewall.png||alt L3 Firewalls Workflow]] | ||
| − | + | = Proposed Quantum APIs = | |
| − | + | == Policies == | |
| − | + | '''Create Policy''' | |
| + | |||
| + | Creating a Policy should be done directly associated with the network entity. | ||
| + | Quantum should handle which firewalls would process the policy, based on the provided dst address (or send to all firewall in the network if no dst address is provided - network policy) | ||
| + | |||
| + | Request: | ||
| + | |||
| + | POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml | ||
| + | |||
| + | <pre><nowiki>#!highlight xml | ||
| + | <policy> | ||
| + | <protocol>tcp</protocol> | ||
| + | <src>0.0.0.0/0</src> | ||
| + | <dst_port>80</dst_port> | ||
| + | </policy> | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Response: | ||
| + | |||
| + | <pre><nowiki>#!highlight xml | ||
| + | <policy> | ||
| + | <id>98017ddc-efc8-4c25-a915-774b2a633855<id/> | ||
| + | <protocol>tcp</protocol> | ||
| + | <src>0.0.0.0/0</src> | ||
| + | <dst_port>80</dst_port> | ||
| + | </policy> | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | '''List Policies''' | ||
Request: | Request: | ||
| Line 74: | Line 104: | ||
| − | ''' | + | '''Delete Policy''' |
Request: | Request: | ||
| − | + | DELETE /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies/98017ddc-efc8-4c25-a915-774b2a633855.xml | |
| + | |||
| + | == DHCPs == | ||
| + | |||
| + | A network ability to provide DHCP would be based only on it having an DHCP server associated with it. | ||
| + | |||
| + | '''Create DHCP''' | ||
| + | |||
| + | POST /tenants/XYZ/dhcps.xml | ||
| + | |||
| + | <pre><nowiki>#!highlight xml | ||
| + | <dhcp> | ||
| + | <name>dhcp01</dhcp> | ||
| + | <address>192.168.0.254</address> | ||
| + | </dhcp> | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | '''Associate DHCP with a range within a network''' | ||
| + | |||
| + | PUT /tenants/XYZ/dhcps/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml | ||
<pre><nowiki>#!highlight xml | <pre><nowiki>#!highlight xml | ||
| − | < | + | <ip_range> |
| − | + | <id>98017ddc-efc8-4c25-a915-774b2a633855</id> | |
| − | + | </ip_range> | |
| − | |||
| − | </ | ||
</nowiki></pre> | </nowiki></pre> | ||
| + | == Ranges == | ||
| + | |||
| + | Describes IP ranges associated with a network | ||
| + | |||
| + | '''Create Range/Associate with a network''' | ||
| − | + | POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml | |
<pre><nowiki>#!highlight xml | <pre><nowiki>#!highlight xml | ||
| − | < | + | <ip_range> |
| − | + | <address>192.168.0.0/24</address> | |
| − | + | </ip_range> | |
| − | |||
| − | |||
| − | </ | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | ''' | + | == IPs == |
| + | |||
| + | Describes which IPs are allowed in a network's port | ||
| + | |||
| + | '''Create IP''' | ||
| + | |||
| + | POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ports/98017ddc-efc8-4c25-a915-774b2a633855/ips.xml | ||
| − | + | <pre><nowiki>#!highlight xml | |
| + | <ip> | ||
| + | <address>192.168.0.3</address> | ||
| + | </ip> | ||
| + | </nowiki></pre> | ||
| − | |||
(Contact: Willian Molinari ([[PotHix]]), Thiago Morello, Juliano Martinez) <<BR>> | (Contact: Willian Molinari ([[PotHix]]), Thiago Morello, Juliano Martinez) <<BR>> | ||
Revision as of 03:50, 31 March 2012
- Git Branch: https://github.com/locaweb/quantum
Blanka layer 3 plugin
<<TableOfContents()>>
Abstract
Blanka is a quantum plugin to handle layer 3.
Blanka plugin extends quantum and provides mainly firewalls and dhcps.
Design
|alt L3 Firewalls and DHCPs Design
Summary
Agents are running on dhcps and firewalls to execute the proper work dictated by quantum via amqp: dhcp plugin works with any *nix os that uses isc-dhcp-server. firewall plugin is currently working with linux, but the data model should be usable with any firewall appliance
DHCP
DHCP servers run on the hypervisor server where the VM is running, providing better fail-over architecture. It follows the logic: get data from the amqp server, write the template file ( witch uses cheetah templates ) and send a request to quantum committing the action. The agent knows how to keep the dhcp server running in case of wrong data format sent to it.
Firewall
Firewall agent run o top of linux firewall server, each ip has its own firewall policy for input and output traffic and you can also enforce a range or network policy to each one which will prevail over the bottom level policy, according to the follow hierarchy: network > range > ip. This agent works retrieving data from amqp, running the iptables rule and sending a request to commit the action.
Proposed Quantum APIs
Policies
Create Policy
Creating a Policy should be done directly associated with the network entity. Quantum should handle which firewalls would process the policy, based on the provided dst address (or send to all firewall in the network if no dst address is provided - network policy)
Request:
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml
#!highlight xml
<policy>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst_port>80</dst_port>
</policy>
Response:
#!highlight xml
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst_port>80</dst_port>
</policy>
List Policies
Request:
GET /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml
Response:
#!highlight xml
<policies>
<!-- network policy -->
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst_port>80</dst_port>
</policy>
<!-- range policy -->
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633856<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst>192.168.1.0/24</dst>
<dst_port>8080</dst_port>
</policy>
<!-- ip policy -->
<policy>
<id>98017ddc-efc8-4c25-a915-774b2a633857<id/>
<protocol>tcp</protocol>
<src>0.0.0.0/0</src>
<dst>192.168.1.3</dst>
<dst_port>8000</dst_port>
</policy>
</policy>
Delete Policy
Request:
DELETE /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies/98017ddc-efc8-4c25-a915-774b2a633855.xml
DHCPs
A network ability to provide DHCP would be based only on it having an DHCP server associated with it.
Create DHCP
POST /tenants/XYZ/dhcps.xml
#!highlight xml <dhcp> <name>dhcp01</dhcp> <address>192.168.0.254</address> </dhcp>
Associate DHCP with a range within a network
PUT /tenants/XYZ/dhcps/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml
#!highlight xml <ip_range> <id>98017ddc-efc8-4c25-a915-774b2a633855</id> </ip_range>
Ranges
Describes IP ranges associated with a network
Create Range/Associate with a network
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml
#!highlight xml <ip_range> <address>192.168.0.0/24</address> </ip_range>
IPs
Describes which IPs are allowed in a network's port
Create IP
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ports/98017ddc-efc8-4c25-a915-774b2a633855/ips.xml
#!highlight xml <ip> <address>192.168.0.3</address> </ip>
(Contact: Willian Molinari (PotHix), Thiago Morello, Juliano Martinez) <
>
