Revert "doc: Remove fwaas references from docs"
This reverts commit bce27811df
.
Reason for revert: neutron-fwaas has maintainers so the documentation should be available.
Due to changes since the original deletion commit the following changes
were added:
* Add note that OVN is not yet supported
* Remove note that Horizon support is not available
Change-Id: I1a739ee045b49e9b44283c28f95b1accc8a1e37f
This commit is contained in:
parent
bce27811df
commit
7c4f273ed9
@ -104,6 +104,11 @@ Set these options to configure SSL:
|
|||||||
``backlog = 4096``
|
``backlog = 4096``
|
||||||
Number of backlog requests with which to configure the socket.
|
Number of backlog requests with which to configure the socket.
|
||||||
|
|
||||||
|
Firewall-as-a-Service (FWaaS) overview
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
For information on Firewall-as-a-Service (FWaaS), please consult the :doc:`Networking Guide <../fwaas>`.
|
||||||
|
|
||||||
Allowed-address-pairs
|
Allowed-address-pairs
|
||||||
~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
@ -413,6 +413,11 @@ configuration. Either or both the ``peer_address`` and the
|
|||||||
addressing modes and router modes described above should not impact
|
addressing modes and router modes described above should not impact
|
||||||
support.
|
support.
|
||||||
|
|
||||||
|
FWaaS
|
||||||
|
-----
|
||||||
|
|
||||||
|
FWaaS allows creation of IPv6 based rules.
|
||||||
|
|
||||||
NAT & Floating IPs
|
NAT & Floating IPs
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
|
@ -41,6 +41,20 @@ To enable the logging service, follow the below steps.
|
|||||||
[agent]
|
[agent]
|
||||||
extensions = log
|
extensions = log
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Fwaas v2 log is currently only supported by openvswitch, the firewall
|
||||||
|
logging driver of linuxbridge is not implemented.
|
||||||
|
|
||||||
|
#. To enable logging service for ``firewall_group`` in Layer 3, add
|
||||||
|
``fwaas_v2_log`` to option ``extensions`` in section ``[AGENT]`` in
|
||||||
|
``/etc/neutron/l3_agent.ini`` for network nodes. For example:
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[AGENT]
|
||||||
|
extensions = fwaas_v2,fwaas_v2_log
|
||||||
|
|
||||||
#. On compute/network nodes, add configuration for logging service to
|
#. On compute/network nodes, add configuration for logging service to
|
||||||
``[network_log]`` in ``/etc/neutron/plugins/ml2/openvswitch_agent.ini`` and in
|
``[network_log]`` in ``/etc/neutron/plugins/ml2/openvswitch_agent.ini`` and in
|
||||||
``/etc/neutron/l3_agent.ini`` as shown bellow:
|
``/etc/neutron/l3_agent.ini`` as shown bellow:
|
||||||
|
@ -151,7 +151,7 @@ Known limitations
|
|||||||
If huge pages are not present in the guest, the interface will appear but
|
If huge pages are not present in the guest, the interface will appear but
|
||||||
will not function.
|
will not function.
|
||||||
* Expect performance degradation of services using tap devices: these devices
|
* Expect performance degradation of services using tap devices: these devices
|
||||||
do not support DPDK. Example services include DVR.
|
do not support DPDK. Example services include DVR and FWaaS.
|
||||||
* When the ``ovs_use_veth`` option is set to ``True``, any traffic sent
|
* When the ``ovs_use_veth`` option is set to ``True``, any traffic sent
|
||||||
from a DHCP namespace will have an incorrect TCP checksum.
|
from a DHCP namespace will have an incorrect TCP checksum.
|
||||||
This means that if ``enable_isolated_metadata`` is set to ``True`` and
|
This means that if ``enable_isolated_metadata`` is set to ``True`` and
|
||||||
|
@ -18,7 +18,7 @@ Among those of special interest are:
|
|||||||
responsible for wiring and securing virtual interfaces (usually both
|
responsible for wiring and securing virtual interfaces (usually both
|
||||||
compute and network nodes).
|
compute and network nodes).
|
||||||
#. Layer3 agent that runs on network node and provides east-west and
|
#. Layer3 agent that runs on network node and provides east-west and
|
||||||
north-south routing plus some advanced services such as VPNaaS.
|
north-south routing plus some advanced services such as FWaaS or VPNaaS.
|
||||||
|
|
||||||
Configuration options
|
Configuration options
|
||||||
~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
129
doc/source/admin/fwaas-v2-scenario.rst
Normal file
129
doc/source/admin/fwaas-v2-scenario.rst
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
Firewall-as-a-Service (FWaaS) v2 scenario
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Firewall v2 has no support for OVN currently.
|
||||||
|
|
||||||
|
Enable FWaaS v2
|
||||||
|
---------------
|
||||||
|
|
||||||
|
#. Enable the FWaaS plug-in in the ``/etc/neutron/neutron.conf`` file:
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
service_plugins = firewall_v2
|
||||||
|
|
||||||
|
[service_providers]
|
||||||
|
# ...
|
||||||
|
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
|
||||||
|
|
||||||
|
[fwaas]
|
||||||
|
agent_version = v2
|
||||||
|
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
|
||||||
|
enabled = True
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
On Ubuntu and Centos, modify the ``[fwaas]`` section in the
|
||||||
|
``/etc/neutron/fwaas_driver.ini`` file instead of
|
||||||
|
``/etc/neutron/neutron.conf``.
|
||||||
|
|
||||||
|
#. Configure the FWaaS plugin for the L3 agent.
|
||||||
|
|
||||||
|
In the ``AGENT`` section of ``l3_agent.ini``, make sure the FWaaS v2
|
||||||
|
extension is loaded:
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[AGENT]
|
||||||
|
extensions = fwaas_v2
|
||||||
|
|
||||||
|
#. Configure the ML2 plugin agent extension.
|
||||||
|
|
||||||
|
Add the following statements to ``ml2_conf.ini``, this file is usually
|
||||||
|
located at ``/etc/neutron/plugins/ml2/ml2_conf.ini``:
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[agent]
|
||||||
|
extensions = fwaas_v2
|
||||||
|
|
||||||
|
[fwaas]
|
||||||
|
firewall_l2_driver = noop
|
||||||
|
|
||||||
|
#. Create the required tables in the database:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
# neutron-db-manage --subproject neutron-fwaas upgrade head
|
||||||
|
|
||||||
|
#. Restart the ``neutron-l3-agent``, ``neutron-openvswitch-agent`` and
|
||||||
|
``neutron-server`` services to apply the settings.
|
||||||
|
|
||||||
|
Configure Firewall-as-a-Service v2
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
Create the firewall rules and create a policy that contains them.
|
||||||
|
Then, create a firewall that applies the policy.
|
||||||
|
|
||||||
|
#. Create a firewall rule:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ openstack firewall group rule create --protocol {tcp,udp,icmp,any} \
|
||||||
|
--source-ip-address SOURCE_IP_ADDRESS \
|
||||||
|
--destination-ip-address DESTINATION_IP_ADDRESS \
|
||||||
|
--source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
|
||||||
|
--action {allow,deny,reject}
|
||||||
|
|
||||||
|
The Networking client requires a protocol value. If the rule is protocol
|
||||||
|
agnostic, you can use the ``any`` value.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
When the source or destination IP address are not of the same IP
|
||||||
|
version (for example, IPv6), the command returns an error.
|
||||||
|
|
||||||
|
#. Create a firewall policy:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ openstack firewall group policy create --firewall-rule \
|
||||||
|
"FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy
|
||||||
|
|
||||||
|
Separate firewall rule IDs or names with spaces. The order in which you
|
||||||
|
specify the rules is important.
|
||||||
|
|
||||||
|
You can create a firewall policy without any rules and add rules later,
|
||||||
|
as follows:
|
||||||
|
|
||||||
|
* To add multiple rules, use the update operation.
|
||||||
|
|
||||||
|
* To add a single rule, use the insert-rule operation.
|
||||||
|
|
||||||
|
For more details, see `Networking command-line client
|
||||||
|
<https://docs.openstack.org/cli-reference/neutron.html>`_
|
||||||
|
in the OpenStack Command-Line Interface Reference.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
FWaaS always adds a default ``deny all`` rule at the lowest precedence
|
||||||
|
of each policy. Consequently, a firewall policy with no rules blocks
|
||||||
|
all traffic by default.
|
||||||
|
|
||||||
|
#. Create a firewall group:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ openstack firewall group create --ingress-firewall-policy \
|
||||||
|
"FIREWALL_POLICY_IDS_OR_NAMES" --egress-firewall-policy \
|
||||||
|
"FIREWALL_POLICY_IDS_OR_NAMES" --port "PORT_IDS_OR_NAMES"
|
||||||
|
|
||||||
|
Separate firewall policy IDs or names with spaces. The direction in which you
|
||||||
|
specify the policies is important.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
The firewall remains in PENDING\_CREATE state until you create a
|
||||||
|
Networking router and attach an interface to it.
|
58
doc/source/admin/fwaas.rst
Normal file
58
doc/source/admin/fwaas.rst
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
Firewall-as-a-Service (FWaaS)
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
The Firewall-as-a-Service (FWaaS) plug-in applies firewalls to
|
||||||
|
OpenStack objects such as projects, routers, and router ports.
|
||||||
|
|
||||||
|
The central concepts with OpenStack firewalls are the notions of a firewall
|
||||||
|
policy and a firewall rule. A policy is an ordered collection of rules. A rule
|
||||||
|
specifies a collection of attributes (such as port ranges, protocol, and IP
|
||||||
|
addresses) that constitute match criteria and an action to take (allow or deny)
|
||||||
|
on matched traffic. A policy can be made public, so it can be shared across
|
||||||
|
projects.
|
||||||
|
|
||||||
|
Firewalls are implemented in various ways, depending on the driver used. For
|
||||||
|
example, an iptables driver implements firewalls using iptable rules. An
|
||||||
|
OpenVSwitch driver implements firewall rules using flow entries in flow tables.
|
||||||
|
A Cisco firewall driver manipulates NSX devices.
|
||||||
|
|
||||||
|
FWaaS v2
|
||||||
|
--------
|
||||||
|
|
||||||
|
The newer FWaaS implementation, v2, provides a much more granular service.
|
||||||
|
The notion of a firewall has been replaced with firewall group to indicate
|
||||||
|
that a firewall consists of two policies: an ingress policy and an egress
|
||||||
|
policy. A firewall group is applied not at the router level (all ports on a
|
||||||
|
router) but at the port level. Currently, router ports can be specified. For
|
||||||
|
Ocata, VM ports can also be specified.
|
||||||
|
|
||||||
|
FWaaS v1
|
||||||
|
--------
|
||||||
|
|
||||||
|
FWaaS v1 was deprecated in the Newton cycle and removed entirely in the Stein
|
||||||
|
cycle.
|
||||||
|
|
||||||
|
FWaaS Feature Matrix
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
The following table shows FWaaS v2 features.
|
||||||
|
|
||||||
|
+------------------------------------------+-----------+
|
||||||
|
| Feature | Supported |
|
||||||
|
+==========================================+===========+
|
||||||
|
| Supports L3 firewalling for routers | NO* |
|
||||||
|
+------------------------------------------+-----------+
|
||||||
|
| Supports L3 firewalling for router ports | YES |
|
||||||
|
+------------------------------------------+-----------+
|
||||||
|
| Supports L2 firewalling (VM ports) | YES |
|
||||||
|
+------------------------------------------+-----------+
|
||||||
|
| CLI support | YES |
|
||||||
|
+------------------------------------------+-----------+
|
||||||
|
| Horizon support | YES |
|
||||||
|
+------------------------------------------+-----------+
|
||||||
|
|
||||||
|
\* A firewall group can be applied to all ports on a given router in order to
|
||||||
|
effect this.
|
||||||
|
|
||||||
|
For further information, see the
|
||||||
|
`FWaaS v2 configuration guide <./fwaas-v2-scenario.html>`_.
|
@ -372,3 +372,9 @@ The Load-Balancer-as-a-Service (LBaaS) API provisions and configures
|
|||||||
load balancers. The reference implementation is based on the HAProxy
|
load balancers. The reference implementation is based on the HAProxy
|
||||||
software load balancer. See the `Octavia project
|
software load balancer. See the `Octavia project
|
||||||
<https://docs.openstack.org/octavia/latest/>`_ for more information.
|
<https://docs.openstack.org/octavia/latest/>`_ for more information.
|
||||||
|
|
||||||
|
FWaaS
|
||||||
|
^^^^^
|
||||||
|
|
||||||
|
The Firewall-as-a-Service (FWaaS) API allows to apply firewalls to OpenStack
|
||||||
|
objects such as projects, routers, and router ports.
|
||||||
|
@ -70,3 +70,4 @@ components:
|
|||||||
intro-network-namespaces
|
intro-network-namespaces
|
||||||
intro-nat
|
intro-nat
|
||||||
intro-os-networking
|
intro-os-networking
|
||||||
|
fwaas
|
||||||
|
@ -7,6 +7,7 @@ Miscellaneous
|
|||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 2
|
:maxdepth: 2
|
||||||
|
|
||||||
|
fwaas-v2-scenario
|
||||||
misc-libvirt
|
misc-libvirt
|
||||||
neutron_linuxbridge
|
neutron_linuxbridge
|
||||||
vpnaas-scenario
|
vpnaas-scenario
|
||||||
|
@ -379,14 +379,14 @@ oslo.policy, so we cannot determine which projects are neutron related
|
|||||||
projects, so the second entry point is required.
|
projects, so the second entry point is required.
|
||||||
|
|
||||||
The recommended entry point name is a repository name: For example,
|
The recommended entry point name is a repository name: For example,
|
||||||
'networking-sfc' for SFC:
|
'neutron-fwaas' for FWaaS and 'networking-sfc' for SFC:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
oslo.policy.policies =
|
oslo.policy.policies =
|
||||||
neutron-sfc = neutron_sfc.policies:list_rules
|
neutron-fwaas = neutron_fwaas.policies:list_rules
|
||||||
neutron.policies =
|
neutron.policies =
|
||||||
neutron-sfc = neutron_sfc.policies:list_rules
|
neutron-fwaas = neutron_fwaas.policies:list_rules
|
||||||
|
|
||||||
Except registering the ``neutron.policies`` entry point, other steps to be done
|
Except registering the ``neutron.policies`` entry point, other steps to be done
|
||||||
in each neutron related project for policy-in-code support are same for all
|
in each neutron related project for policy-in-code support are same for all
|
||||||
|
@ -30,10 +30,6 @@ Historically, Neutron supported the following advanced services:
|
|||||||
#. **VPNaaS** (*VPN-as-a-Service*): derives from L3 agent to add
|
#. **VPNaaS** (*VPN-as-a-Service*): derives from L3 agent to add
|
||||||
VPNaaS functionality.
|
VPNaaS functionality.
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
neutron-fwaas is deprecated and no more maintained!
|
|
||||||
|
|
||||||
Starting with the Kilo release, these services are split into separate
|
Starting with the Kilo release, these services are split into separate
|
||||||
repositories, and more extensions are being developed as well. Service
|
repositories, and more extensions are being developed as well. Service
|
||||||
plugins are a clean way of adding functionality in a cohesive manner
|
plugins are a clean way of adding functionality in a cohesive manner
|
||||||
|
@ -37,7 +37,7 @@ services. Among those of special interest:
|
|||||||
responsible for wiring and securing virtual interfaces (usually both Compute
|
responsible for wiring and securing virtual interfaces (usually both Compute
|
||||||
and Network nodes).
|
and Network nodes).
|
||||||
#. Layer3 agent that runs on Network node and provides East-West and
|
#. Layer3 agent that runs on Network node and provides East-West and
|
||||||
North-South routing plus some advanced services such as VPNaaS.
|
North-South routing plus some advanced services such as FWaaS or VPNaaS.
|
||||||
|
|
||||||
For the purpose of this document, we call all services, servers and agents that
|
For the purpose of this document, we call all services, servers and agents that
|
||||||
run on any node as just "services".
|
run on any node as just "services".
|
||||||
|
@ -26,7 +26,7 @@ Sub-Projects and Specs
|
|||||||
|
|
||||||
The `neutron-specs <http://opendev.org/openstack/neutron-specs>`_
|
The `neutron-specs <http://opendev.org/openstack/neutron-specs>`_
|
||||||
repository is only meant for specs from Neutron itself, and the advanced
|
repository is only meant for specs from Neutron itself, and the advanced
|
||||||
services repositories as well. This includes VPNaaS for example. Other
|
services repositories as well. This includes FWaaS and VPNaaS. Other
|
||||||
sub-projects are encouraged to fold their specs into their own devref code
|
sub-projects are encouraged to fold their specs into their own devref code
|
||||||
in their sub-project gerrit repositories. Please see additional comments
|
in their sub-project gerrit repositories. Please see additional comments
|
||||||
in the Neutron teams :ref:`section <specs-core-reviewer-team>`
|
in the Neutron teams :ref:`section <specs-core-reviewer-team>`
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
Neutron Bugs
|
Neutron Bugs
|
||||||
============
|
============
|
||||||
|
|
||||||
Neutron (client, core, VPNaaS) maintains all of its bugs in the following
|
Neutron (client, core, FwaaS, VPNaaS) maintains all of its bugs in the following
|
||||||
Launchpad projects:
|
Launchpad projects:
|
||||||
|
|
||||||
* `Launchpad Neutron <https://bugs.launchpad.net/neutron>`_
|
* `Launchpad Neutron <https://bugs.launchpad.net/neutron>`_
|
||||||
|
@ -69,6 +69,8 @@ names, which were moved out of Neutron: ::
|
|||||||
|
|
||||||
VPNAAS_TABLES = [...]
|
VPNAAS_TABLES = [...]
|
||||||
|
|
||||||
|
FWAAS_TABLES = [...]
|
||||||
|
|
||||||
# Arista ML2 driver Models moved to openstack/networking-arista
|
# Arista ML2 driver Models moved to openstack/networking-arista
|
||||||
REPO_ARISTA_TABLES = [...]
|
REPO_ARISTA_TABLES = [...]
|
||||||
|
|
||||||
@ -77,7 +79,7 @@ names, which were moved out of Neutron: ::
|
|||||||
|
|
||||||
...
|
...
|
||||||
|
|
||||||
TABLES = (VPNAAS_TABLES + ...
|
TABLES = (FWAAS_TABLES + VPNAAS_TABLES + ...
|
||||||
+ REPO_ARISTA_TABLES + REPO_CISCO_TABLES)
|
+ REPO_ARISTA_TABLES + REPO_CISCO_TABLES)
|
||||||
|
|
||||||
|
|
||||||
|
@ -49,4 +49,5 @@ Each plug-in that Networking uses has its own concepts. While not vital
|
|||||||
to operating the VNI and OpenStack environment, understanding these
|
to operating the VNI and OpenStack environment, understanding these
|
||||||
concepts can help you set up Networking. All Networking installations
|
concepts can help you set up Networking. All Networking installations
|
||||||
use a core plug-in and a security group plug-in (or just the No-Op
|
use a core plug-in and a security group plug-in (or just the No-Op
|
||||||
security group plug-in).
|
security group plug-in). Additionally, Firewall-as-a-Service (FWaaS)
|
||||||
|
is available.
|
||||||
|
@ -147,8 +147,8 @@ infrastructure.
|
|||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
This option lacks support for self-service (private) networks, layer-3
|
This option lacks support for self-service (private) networks, layer-3
|
||||||
(routing) services, and advanced services such as LoadBalancer-as-a-Service
|
(routing) services, and advanced services such as FireWall-as-a-Service
|
||||||
(Octavia).
|
(FWaaS).
|
||||||
Consider the self-service networks option below if you desire these features.
|
Consider the self-service networks option below if you desire these features.
|
||||||
|
|
||||||
.. _figure-network1-services:
|
.. _figure-network1-services:
|
||||||
@ -167,7 +167,7 @@ self-service networks using overlay segmentation methods such
|
|||||||
as Virtual Extensible LAN (VXLAN). Essentially, it routes
|
as Virtual Extensible LAN (VXLAN). Essentially, it routes
|
||||||
virtual networks to physical networks using Network Address
|
virtual networks to physical networks using Network Address
|
||||||
Translation (NAT). Additionally, this option provides the foundation for
|
Translation (NAT). Additionally, this option provides the foundation for
|
||||||
advanced services such as LoadBalancer-as-a-service.
|
advanced services such as FWaaS.
|
||||||
|
|
||||||
The OpenStack user can create virtual networks without the knowledge
|
The OpenStack user can create virtual networks without the knowledge
|
||||||
of underlying infrastructure on the data network. This can also include
|
of underlying infrastructure on the data network. This can also include
|
||||||
|
Loading…
Reference in New Issue
Block a user