Browse Source

Merge "Remove references to FWaaS v1"

tags/15.0.0.0b1
Zuul 1 month ago
parent
commit
5f116b97ee

BIN
doc/source/admin/figures/fwaas.png View File


+ 0
- 33668
doc/source/admin/figures/fwaas.svg
File diff suppressed because it is too large
View File


+ 0
- 119
doc/source/admin/fwaas-v1-scenario.rst View File

@@ -1,119 +0,0 @@
1
-Firewall-as-a-Service (FWaaS) v1 scenario
2
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3
-
4
-Enable FWaaS v1
5
----------------
6
-
7
-FWaaS management options are also available in the Dashboard.
8
-
9
-#. Enable the FWaaS plug-in in the ``/etc/neutron/neutron.conf`` file:
10
-
11
-   .. code-block:: ini
12
-
13
-      service_plugins = firewall
14
-
15
-      [service_providers]
16
-      # ...
17
-      service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
18
-
19
-      [fwaas]
20
-      driver = iptables
21
-      enabled = True
22
-
23
-   .. note::
24
-
25
-      On Ubuntu, modify the ``[fwaas]`` section in the
26
-      ``/etc/neutron/fwaas_driver.ini`` file instead of
27
-      ``/etc/neutron/neutron.conf``.
28
-
29
-#. Configure the FWaaS plugin for the L3 agent.
30
-
31
-   In the ``AGENT`` section of ``l3_agent.ini``, make sure the FWaaS extension
32
-   is loaded:
33
-
34
-   .. code-block:: ini
35
-
36
-      [AGENT]
37
-      extensions = fwaas
38
-
39
-   Edit the FWaaS section in the ``/etc/neutron/neutron.conf`` file to indicate
40
-   the agent version and driver:
41
-
42
-   .. code-block:: ini
43
-
44
-      [fwaas]
45
-      agent_version = v1
46
-      driver = iptables
47
-      enabled = True
48
-      conntrack_driver = conntrack
49
-
50
-#. Create the required tables in the database:
51
-
52
-   .. code-block:: console
53
-
54
-      # neutron-db-manage --subproject neutron-fwaas upgrade head
55
-
56
-#. Restart the ``neutron-l3-agent`` and ``neutron-server`` services
57
-   to apply the settings.
58
-
59
-Configure Firewall-as-a-Service v1
60
-----------------------------------
61
-
62
-Create the firewall rules and create a policy that contains them.
63
-Then, create a firewall that applies the policy.
64
-
65
-#. Create a firewall rule:
66
-
67
-   .. code-block:: console
68
-
69
-      $ neutron firewall-rule-create --protocol {tcp,udp,icmp,any} \
70
-        --source-ip-address SOURCE_IP_ADDRESS \
71
-        --destination-ip-address DESTINATION_IP_ADDRESS \
72
-        --source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
73
-        --action {allow,deny,reject}
74
-
75
-   The Networking client requires a protocol value.  If the rule is protocol
76
-   agnostic, you can use the ``any`` value.
77
-
78
-   .. note::
79
-
80
-      When the source or destination IP address are not of the same IP
81
-      version (for example, IPv6), the command returns an error.
82
-
83
-#. Create a firewall policy:
84
-
85
-   .. code-block:: console
86
-
87
-      $ neutron firewall-policy-create --firewall-rules \
88
-        "FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy
89
-
90
-   Separate firewall rule IDs or names with spaces. The order in which you
91
-   specify the rules is important.
92
-
93
-   You can create a firewall policy without any rules and add rules later,
94
-   as follows:
95
-
96
-   * To add multiple rules, use the update operation.
97
-
98
-   * To add a single rule, use the insert-rule operation.
99
-
100
-   For more details, see `Networking command-line client
101
-   <https://docs.openstack.org/cli-reference/neutron.html>`_
102
-   in the OpenStack Command-Line Interface Reference.
103
-
104
-   .. note::
105
-
106
-      FWaaS always adds a default ``deny all`` rule at the lowest precedence
107
-      of each policy. Consequently, a firewall policy with no rules blocks
108
-      all traffic by default.
109
-
110
-#. Create a firewall:
111
-
112
-   .. code-block:: console
113
-
114
-      $ neutron firewall-create FIREWALL_POLICY_UUID
115
-
116
-   .. note::
117
-
118
-      The firewall remains in PENDING\_CREATE state until you create a
119
-      Networking router and attach an interface to it.

+ 24
- 34
doc/source/admin/fwaas.rst View File

@@ -4,10 +4,6 @@ Firewall-as-a-Service (FWaaS)
4 4
 The Firewall-as-a-Service (FWaaS) plug-in applies firewalls to
5 5
 OpenStack objects such as projects, routers, and router ports.
6 6
 
7
-.. note::
8
-
9
-    We anticipate this to expand to VM ports in the Ocata cycle.
10
-
11 7
 The central concepts with OpenStack firewalls are the notions of a firewall
12 8
 policy and a firewall rule. A policy is an ordered collection of rules. A rule
13 9
 specifies a collection of attributes (such as port ranges, protocol, and IP
@@ -20,17 +16,6 @@ example, an iptables driver implements firewalls using iptable rules. An
20 16
 OpenVSwitch driver implements firewall rules using flow entries in flow tables.
21 17
 A Cisco firewall driver manipulates NSX devices.
22 18
 
23
-FWaaS v1
24
---------
25
-
26
-The original FWaaS implementation, v1, provides protection for routers. When
27
-a firewall is applied to a router, all internal ports are protected.
28
-
29
-The following diagram depicts FWaaS v1 protection. It illustrates the flow of
30
-ingress and egress traffic for the VM2 instance:
31
-
32
-.. figure:: figures/fwaas.png
33
-
34 19
 FWaaS v2
35 20
 --------
36 21
 
@@ -41,28 +26,33 @@ policy. A firewall group is applied not at the router level (all ports on a
41 26
 router) but at the port level. Currently, router ports can be specified. For
42 27
 Ocata, VM ports can also be specified.
43 28
 
44
-FWaaS v1 versus v2
45
-------------------
29
+FWaaS v1
30
+--------
31
+
32
+FWaaS v1 was deprecated in the Newton cycle and removed entirely in the Stein
33
+cycle.
34
+
35
+FWaaS Feature Matrix
36
+---------------------
46 37
 
47
-The following table compares v1 and v2 features.
38
+The following table shows FWaaS v2 features.
48 39
 
49
-+------------------------------------------+-----+------+
50
-| Feature                                  | v1  | v2   |
51
-+==========================================+=====+======+
52
-| Supports L3 firewalling for routers      | YES | NO*  |
53
-+------------------------------------------+-----+------+
54
-| Supports L3 firewalling for router ports | NO  | YES  |
55
-+------------------------------------------+-----+------+
56
-| Supports L2 firewalling (VM ports)       | NO  | YES  |
57
-+------------------------------------------+-----+------+
58
-| CLI support                              | YES | YES  |
59
-+------------------------------------------+-----+------+
60
-| Horizon support                          | YES | NO   |
61
-+------------------------------------------+-----+------+
40
++------------------------------------------+-----------+
41
+| Feature                                  | Supported |
42
++==========================================+===========+
43
+| Supports L3 firewalling for routers      | NO*       |
44
++------------------------------------------+-----------+
45
+| Supports L3 firewalling for router ports | YES       |
46
++------------------------------------------+-----------+
47
+| Supports L2 firewalling (VM ports)       | YES       |
48
++------------------------------------------+-----------+
49
+| CLI support                              | YES       |
50
++------------------------------------------+-----------+
51
+| Horizon support                          | NO        |
52
++------------------------------------------+-----------+
62 53
 
63 54
 \* A firewall group can be applied to all ports on a given router in order to
64 55
 effect this.
65 56
 
66
-For further information, see `v1 configuration guide
67
-<./fwaas-v1-scenario.html>`_ or
68
-`v2 configuration guide <./fwaas-v2-scenario.html>`_.
57
+For further information, see the
58
+`FWaaS v2 configuration guide <./fwaas-v2-scenario.html>`_.

+ 0
- 1
doc/source/admin/misc.rst View File

@@ -8,7 +8,6 @@ Miscellaneous
8 8
    :maxdepth: 2
9 9
 
10 10
    fwaas-v2-scenario
11
-   fwaas-v1-scenario
12 11
    misc-libvirt
13 12
    neutron_linuxbridge
14 13
    vpnaas-scenario

Loading…
Cancel
Save