openstack/neutron
Code Issues Proposed changes

Merge "Remove references to FWaaS v1"

Browse Source
This commit is contained in:
Zuul 2019-09-07 23:08:29 +00:00 committed by Gerrit Code Review
commit 5f116b97ee
5 changed files with 24 additions and 33822 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
doc/source/admin/figures/fwaas.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 92 KiB

33668
doc/source/admin/figures/fwaas.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 MiB

119
doc/source/admin/fwaas-v1-scenario.rst
View File

@ -1,119 +0,0 @@
Firewall-as-a-Service (FWaaS) v1 scenario
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Enable FWaaS v1
---------------
FWaaS management options are also available in the Dashboard.
#. Enable the FWaaS plug-in in the ``/etc/neutron/neutron.conf`` file:
.. code-block:: ini
service_plugins = firewall
[service_providers]
# ...
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
[fwaas]
driver = iptables
enabled = True
.. note::
On Ubuntu, modify the ``[fwaas]`` section in the
``/etc/neutron/fwaas_driver.ini`` file instead of
``/etc/neutron/neutron.conf``.
#. Configure the FWaaS plugin for the L3 agent.
In the ``AGENT`` section of ``l3_agent.ini``, make sure the FWaaS extension
is loaded:
.. code-block:: ini
[AGENT]
extensions = fwaas
Edit the FWaaS section in the ``/etc/neutron/neutron.conf`` file to indicate
the agent version and driver:
.. code-block:: ini
[fwaas]
agent_version = v1
driver = iptables
enabled = True
conntrack_driver = conntrack
#. Create the required tables in the database:
.. code-block:: console
# neutron-db-manage --subproject neutron-fwaas upgrade head
#. Restart the ``neutron-l3-agent`` and ``neutron-server`` services
to apply the settings.
Configure Firewall-as-a-Service v1
----------------------------------
Create the firewall rules and create a policy that contains them.
Then, create a firewall that applies the policy.
#. Create a firewall rule:
.. code-block:: console
$ neutron firewall-rule-create --protocol {tcp,udp,icmp,any} \
--source-ip-address SOURCE_IP_ADDRESS \
--destination-ip-address DESTINATION_IP_ADDRESS \
--source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
--action {allow,deny,reject}
The Networking client requires a protocol value. If the rule is protocol
agnostic, you can use the ``any`` value.
.. note::
When the source or destination IP address are not of the same IP
version (for example, IPv6), the command returns an error.
#. Create a firewall policy:
.. code-block:: console
$ neutron firewall-policy-create --firewall-rules \
"FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy
Separate firewall rule IDs or names with spaces. The order in which you
specify the rules is important.
You can create a firewall policy without any rules and add rules later,
as follows:
* To add multiple rules, use the update operation.
* To add a single rule, use the insert-rule operation.
For more details, see `Networking command-line client
<https://docs.openstack.org/cli-reference/neutron.html>`_
in the OpenStack Command-Line Interface Reference.
.. note::
FWaaS always adds a default ``deny all`` rule at the lowest precedence
of each policy. Consequently, a firewall policy with no rules blocks
all traffic by default.
#. Create a firewall:
.. code-block:: console
$ neutron firewall-create FIREWALL_POLICY_UUID
.. note::
The firewall remains in PENDING\_CREATE state until you create a
Networking router and attach an interface to it.

58
doc/source/admin/fwaas.rst
View File

@ -4,10 +4,6 @@ Firewall-as-a-Service (FWaaS)
The Firewall-as-a-Service (FWaaS) plug-in applies firewalls to The Firewall-as-a-Service (FWaaS) plug-in applies firewalls to
OpenStack objects such as projects, routers, and router ports. OpenStack objects such as projects, routers, and router ports.
.. note::
We anticipate this to expand to VM ports in the Ocata cycle.
The central concepts with OpenStack firewalls are the notions of a firewall The central concepts with OpenStack firewalls are the notions of a firewall
policy and a firewall rule. A policy is an ordered collection of rules. A rule policy and a firewall rule. A policy is an ordered collection of rules. A rule
specifies a collection of attributes (such as port ranges, protocol, and IP specifies a collection of attributes (such as port ranges, protocol, and IP
@ -20,17 +16,6 @@ example, an iptables driver implements firewalls using iptable rules. An
OpenVSwitch driver implements firewall rules using flow entries in flow tables. OpenVSwitch driver implements firewall rules using flow entries in flow tables.
A Cisco firewall driver manipulates NSX devices. A Cisco firewall driver manipulates NSX devices.
FWaaS v1
--------
The original FWaaS implementation, v1, provides protection for routers. When
a firewall is applied to a router, all internal ports are protected.
The following diagram depicts FWaaS v1 protection. It illustrates the flow of
ingress and egress traffic for the VM2 instance:
.. figure:: figures/fwaas.png
FWaaS v2 FWaaS v2
-------- --------
@ -41,28 +26,33 @@ policy. A firewall group is applied not at the router level (all ports on a
router) but at the port level. Currently, router ports can be specified. For router) but at the port level. Currently, router ports can be specified. For
Ocata, VM ports can also be specified. Ocata, VM ports can also be specified.
FWaaS v1 versus v2 FWaaS v1
------------------ --------
The following table compares v1 and v2 features. FWaaS v1 was deprecated in the Newton cycle and removed entirely in the Stein
cycle.
+------------------------------------------+-----+------+ FWaaS Feature Matrix
| Feature | v1 | v2 | ---------------------
+==========================================+=====+======+
| Supports L3 firewalling for routers | YES | NO* | The following table shows FWaaS v2 features.
+------------------------------------------+-----+------+
| Supports L3 firewalling for router ports | NO | YES | +------------------------------------------+-----------+
+------------------------------------------+-----+------+ | Feature | Supported |
| Supports L2 firewalling (VM ports) | NO | YES | +==========================================+===========+
+------------------------------------------+-----+------+ | Supports L3 firewalling for routers | NO* |
| CLI support | YES | YES | +------------------------------------------+-----------+
+------------------------------------------+-----+------+ | Supports L3 firewalling for router ports | YES |
| Horizon support | YES | NO | +------------------------------------------+-----------+
+------------------------------------------+-----+------+ | Supports L2 firewalling (VM ports) | YES |
+------------------------------------------+-----------+
| CLI support | YES |
+------------------------------------------+-----------+
| Horizon support | NO |
+------------------------------------------+-----------+
\* A firewall group can be applied to all ports on a given router in order to \* A firewall group can be applied to all ports on a given router in order to
effect this. effect this.
For further information, see `v1 configuration guide For further information, see the
<./fwaas-v1-scenario.html>`_ or `FWaaS v2 configuration guide <./fwaas-v2-scenario.html>`_.
`v2 configuration guide <./fwaas-v2-scenario.html>`_.

1
doc/source/admin/misc.rst
View File

@ -8,7 +8,6 @@ Miscellaneous
:maxdepth: 2 :maxdepth: 2
fwaas-v2-scenario fwaas-v2-scenario
fwaas-v1-scenario
misc-libvirt misc-libvirt
neutron_linuxbridge neutron_linuxbridge
vpnaas-scenario vpnaas-scenario