Merge "Remove references to FWaaS v1"

2019-09-07 23:08:29 +00:00 · 2019-09-07 23:08:29 +00:00 · 5f116b97ee
parent e941860c28 cb75ecb729
commit 5f116b97ee
5 changed files with 24 additions and 33822 deletions
--- a/doc/source/admin/figures/fwaas.png
+++ b/doc/source/admin/figures/fwaas.png
--- a/doc/source/admin/figures/fwaas.svg
+++ b/doc/source/admin/figures/fwaas.svg
--- a/doc/source/admin/fwaas-v1-scenario.rst
+++ b/doc/source/admin/fwaas-v1-scenario.rst
@ -1,119 +0,0 @@
-Firewall-as-a-Service (FWaaS) v1 scenario
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Enable FWaaS v1
---------------
-
-FWaaS management options are also available in the Dashboard.
-
-#. Enable the FWaaS plug-in in the ``/etc/neutron/neutron.conf`` file:
-
-   .. code-block:: ini
-
-      service_plugins = firewall
-
-      [service_providers]
-      # ...
-      service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
-
-      [fwaas]
-      driver = iptables
-      enabled = True
-
-   .. note::
-
-      On Ubuntu, modify the ``[fwaas]`` section in the
-      ``/etc/neutron/fwaas_driver.ini`` file instead of
-      ``/etc/neutron/neutron.conf``.
-
-#. Configure the FWaaS plugin for the L3 agent.
-
-   In the ``AGENT`` section of ``l3_agent.ini``, make sure the FWaaS extension
-   is loaded:
-
-   .. code-block:: ini
-
-      [AGENT]
-      extensions = fwaas
-
-   Edit the FWaaS section in the ``/etc/neutron/neutron.conf`` file to indicate
-   the agent version and driver:
-
-   .. code-block:: ini
-
-      [fwaas]
-      agent_version = v1
-      driver = iptables
-      enabled = True
-      conntrack_driver = conntrack
-
-#. Create the required tables in the database:
-
-   .. code-block:: console
-
-      # neutron-db-manage --subproject neutron-fwaas upgrade head
-
-#. Restart the ``neutron-l3-agent`` and ``neutron-server`` services
-   to apply the settings.
-
-Configure Firewall-as-a-Service v1
----------------------------------
-
-Create the firewall rules and create a policy that contains them.
-Then, create a firewall that applies the policy.
-
-#. Create a firewall rule:
-
-   .. code-block:: console
-
-      $ neutron firewall-rule-create --protocol {tcp,udp,icmp,any} \
-        --source-ip-address SOURCE_IP_ADDRESS \
-        --destination-ip-address DESTINATION_IP_ADDRESS \
-        --source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
-        --action {allow,deny,reject}
-
-   The Networking client requires a protocol value.  If the rule is protocol
-   agnostic, you can use the ``any`` value.
-
-   .. note::
-
-      When the source or destination IP address are not of the same IP
-      version (for example, IPv6), the command returns an error.
-
-#. Create a firewall policy:
-
-   .. code-block:: console
-
-      $ neutron firewall-policy-create --firewall-rules \
-        "FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy
-
-   Separate firewall rule IDs or names with spaces. The order in which you
-   specify the rules is important.
-
-   You can create a firewall policy without any rules and add rules later,
-   as follows:
-
-   * To add multiple rules, use the update operation.
-
-   * To add a single rule, use the insert-rule operation.
-
-   For more details, see `Networking command-line client
-   <https://docs.openstack.org/cli-reference/neutron.html>`_
-   in the OpenStack Command-Line Interface Reference.
-
-   .. note::
-
-      FWaaS always adds a default ``deny all`` rule at the lowest precedence
-      of each policy. Consequently, a firewall policy with no rules blocks
-      all traffic by default.
-
-#. Create a firewall:
-
-   .. code-block:: console
-
-      $ neutron firewall-create FIREWALL_POLICY_UUID
-
-   .. note::
-
-      The firewall remains in PENDING\_CREATE state until you create a
-      Networking router and attach an interface to it.
--- a/doc/source/admin/fwaas.rst
+++ b/doc/source/admin/fwaas.rst
@ -4,10 +4,6 @@ Firewall-as-a-Service (FWaaS)
 The Firewall-as-a-Service (FWaaS) plug-in applies firewalls to
 OpenStack objects such as projects, routers, and router ports.

-.. note::
-
-    We anticipate this to expand to VM ports in the Ocata cycle.
-
 The central concepts with OpenStack firewalls are the notions of a firewall
 policy and a firewall rule. A policy is an ordered collection of rules. A rule
 specifies a collection of attributes (such as port ranges, protocol, and IP
@ -20,17 +16,6 @@ example, an iptables driver implements firewalls using iptable rules. An
 OpenVSwitch driver implements firewall rules using flow entries in flow tables.
 A Cisco firewall driver manipulates NSX devices.

-FWaaS v1
--------
-
-The original FWaaS implementation, v1, provides protection for routers. When
-a firewall is applied to a router, all internal ports are protected.
-
-The following diagram depicts FWaaS v1 protection. It illustrates the flow of
-ingress and egress traffic for the VM2 instance:
-
-.. figure:: figures/fwaas.png
-
 FWaaS v2
 --------

@ -41,28 +26,33 @@ policy. A firewall group is applied not at the router level (all ports on a
 router) but at the port level. Currently, router ports can be specified. For
 Ocata, VM ports can also be specified.

-FWaaS v1 versus v2
------------------
+FWaaS v1
+--------

-The following table compares v1 and v2 features.
+FWaaS v1 was deprecated in the Newton cycle and removed entirely in the Stein
+cycle.

-+------------------------------------------+-----+------+
-| Feature                                  | v1  | v2   |
-+==========================================+=====+======+
-| Supports L3 firewalling for routers      | YES | NO*  |
-+------------------------------------------+-----+------+
-| Supports L3 firewalling for router ports | NO  | YES  |
-+------------------------------------------+-----+------+
-| Supports L2 firewalling (VM ports)       | NO  | YES  |
-+------------------------------------------+-----+------+
-| CLI support                              | YES | YES  |
-+------------------------------------------+-----+------+
-| Horizon support                          | YES | NO   |
-+------------------------------------------+-----+------+
+FWaaS Feature Matrix
+---------------------
+
+The following table shows FWaaS v2 features.
+
+------------------------------------------+-----------+
+| Feature                                  | Supported |
+==========================================+===========+
+| Supports L3 firewalling for routers      | NO*       |
+------------------------------------------+-----------+
+| Supports L3 firewalling for router ports | YES       |
+------------------------------------------+-----------+
+| Supports L2 firewalling (VM ports)       | YES       |
+------------------------------------------+-----------+
+| CLI support                              | YES       |
+------------------------------------------+-----------+
+| Horizon support                          | NO        |
+------------------------------------------+-----------+

 \* A firewall group can be applied to all ports on a given router in order to
 effect this.

-For further information, see `v1 configuration guide
-<./fwaas-v1-scenario.html>`_ or
-`v2 configuration guide <./fwaas-v2-scenario.html>`_.
+For further information, see the
+`FWaaS v2 configuration guide <./fwaas-v2-scenario.html>`_.
--- a/doc/source/admin/misc.rst
+++ b/doc/source/admin/misc.rst
@ -8,7 +8,6 @@ Miscellaneous
   :maxdepth: 2

   fwaas-v2-scenario
-   fwaas-v1-scenario
   misc-libvirt
   neutron_linuxbridge
   vpnaas-scenario