Browse Source

Merge "Remove references to FWaaS v1"

tags/15.0.0.0b1
Zuul 2 months ago
parent
commit
5f116b97ee
5 changed files with 24 additions and 33822 deletions
  1. BIN
      doc/source/admin/figures/fwaas.png
  2. +0
    -33668
      doc/source/admin/figures/fwaas.svg
  3. +0
    -119
      doc/source/admin/fwaas-v1-scenario.rst
  4. +24
    -34
      doc/source/admin/fwaas.rst
  5. +0
    -1
      doc/source/admin/misc.rst

BIN
doc/source/admin/figures/fwaas.png View File

Before After
Width: 660  |  Height: 399  |  Size: 92KB

+ 0
- 33668
doc/source/admin/figures/fwaas.svg
File diff suppressed because it is too large
View File


+ 0
- 119
doc/source/admin/fwaas-v1-scenario.rst View File

@@ -1,119 +0,0 @@
Firewall-as-a-Service (FWaaS) v1 scenario
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Enable FWaaS v1
---------------

FWaaS management options are also available in the Dashboard.

#. Enable the FWaaS plug-in in the ``/etc/neutron/neutron.conf`` file:

.. code-block:: ini

service_plugins = firewall

[service_providers]
# ...
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default

[fwaas]
driver = iptables
enabled = True

.. note::

On Ubuntu, modify the ``[fwaas]`` section in the
``/etc/neutron/fwaas_driver.ini`` file instead of
``/etc/neutron/neutron.conf``.

#. Configure the FWaaS plugin for the L3 agent.

In the ``AGENT`` section of ``l3_agent.ini``, make sure the FWaaS extension
is loaded:

.. code-block:: ini

[AGENT]
extensions = fwaas

Edit the FWaaS section in the ``/etc/neutron/neutron.conf`` file to indicate
the agent version and driver:

.. code-block:: ini

[fwaas]
agent_version = v1
driver = iptables
enabled = True
conntrack_driver = conntrack

#. Create the required tables in the database:

.. code-block:: console

# neutron-db-manage --subproject neutron-fwaas upgrade head

#. Restart the ``neutron-l3-agent`` and ``neutron-server`` services
to apply the settings.

Configure Firewall-as-a-Service v1
----------------------------------

Create the firewall rules and create a policy that contains them.
Then, create a firewall that applies the policy.

#. Create a firewall rule:

.. code-block:: console

$ neutron firewall-rule-create --protocol {tcp,udp,icmp,any} \
--source-ip-address SOURCE_IP_ADDRESS \
--destination-ip-address DESTINATION_IP_ADDRESS \
--source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
--action {allow,deny,reject}

The Networking client requires a protocol value. If the rule is protocol
agnostic, you can use the ``any`` value.

.. note::

When the source or destination IP address are not of the same IP
version (for example, IPv6), the command returns an error.

#. Create a firewall policy:

.. code-block:: console

$ neutron firewall-policy-create --firewall-rules \
"FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy

Separate firewall rule IDs or names with spaces. The order in which you
specify the rules is important.

You can create a firewall policy without any rules and add rules later,
as follows:

* To add multiple rules, use the update operation.

* To add a single rule, use the insert-rule operation.

For more details, see `Networking command-line client
<https://docs.openstack.org/cli-reference/neutron.html>`_
in the OpenStack Command-Line Interface Reference.

.. note::

FWaaS always adds a default ``deny all`` rule at the lowest precedence
of each policy. Consequently, a firewall policy with no rules blocks
all traffic by default.

#. Create a firewall:

.. code-block:: console

$ neutron firewall-create FIREWALL_POLICY_UUID

.. note::

The firewall remains in PENDING\_CREATE state until you create a
Networking router and attach an interface to it.

+ 24
- 34
doc/source/admin/fwaas.rst View File

@@ -4,10 +4,6 @@ Firewall-as-a-Service (FWaaS)
The Firewall-as-a-Service (FWaaS) plug-in applies firewalls to
OpenStack objects such as projects, routers, and router ports.

.. note::

We anticipate this to expand to VM ports in the Ocata cycle.

The central concepts with OpenStack firewalls are the notions of a firewall
policy and a firewall rule. A policy is an ordered collection of rules. A rule
specifies a collection of attributes (such as port ranges, protocol, and IP
@@ -20,17 +16,6 @@ example, an iptables driver implements firewalls using iptable rules. An
OpenVSwitch driver implements firewall rules using flow entries in flow tables.
A Cisco firewall driver manipulates NSX devices.

FWaaS v1
--------

The original FWaaS implementation, v1, provides protection for routers. When
a firewall is applied to a router, all internal ports are protected.

The following diagram depicts FWaaS v1 protection. It illustrates the flow of
ingress and egress traffic for the VM2 instance:

.. figure:: figures/fwaas.png

FWaaS v2
--------

@@ -41,28 +26,33 @@ policy. A firewall group is applied not at the router level (all ports on a
router) but at the port level. Currently, router ports can be specified. For
Ocata, VM ports can also be specified.

FWaaS v1 versus v2
------------------
FWaaS v1
--------

FWaaS v1 was deprecated in the Newton cycle and removed entirely in the Stein
cycle.

FWaaS Feature Matrix
---------------------

The following table compares v1 and v2 features.
The following table shows FWaaS v2 features.

+------------------------------------------+-----+------+
| Feature | v1 | v2 |
+==========================================+=====+======+
| Supports L3 firewalling for routers | YES | NO* |
+------------------------------------------+-----+------+
| Supports L3 firewalling for router ports | NO | YES |
+------------------------------------------+-----+------+
| Supports L2 firewalling (VM ports) | NO | YES |
+------------------------------------------+-----+------+
| CLI support | YES | YES |
+------------------------------------------+-----+------+
| Horizon support | YES | NO |
+------------------------------------------+-----+------+
+------------------------------------------+-----------+
| Feature | Supported |
+==========================================+===========+
| Supports L3 firewalling for routers | NO* |
+------------------------------------------+-----------+
| Supports L3 firewalling for router ports | YES |
+------------------------------------------+-----------+
| Supports L2 firewalling (VM ports) | YES |
+------------------------------------------+-----------+
| CLI support | YES |
+------------------------------------------+-----------+
| Horizon support | NO |
+------------------------------------------+-----------+

\* A firewall group can be applied to all ports on a given router in order to
effect this.

For further information, see `v1 configuration guide
<./fwaas-v1-scenario.html>`_ or
`v2 configuration guide <./fwaas-v2-scenario.html>`_.
For further information, see the
`FWaaS v2 configuration guide <./fwaas-v2-scenario.html>`_.

+ 0
- 1
doc/source/admin/misc.rst View File

@@ -8,7 +8,6 @@ Miscellaneous
:maxdepth: 2

fwaas-v2-scenario
fwaas-v1-scenario
misc-libvirt
neutron_linuxbridge
vpnaas-scenario

Loading…
Cancel
Save