Browse Source

Merge "Remove references to FWaaS v1"

Zuul 11 months ago
committed by Gerrit Code Review
5 changed files with 24 additions and 33822 deletions
  1. BIN
  2. +0
  3. +0
  4. +24
  5. +0

doc/source/admin/figures/fwaas.png View File

Before After
Width: 660  |  Height: 399  |  Size: 92 KiB

+ 0
- 33668
File diff suppressed because it is too large
View File

+ 0
- 119
doc/source/admin/fwaas-v1-scenario.rst View File

@@ -1,119 +0,0 @@
Firewall-as-a-Service (FWaaS) v1 scenario

Enable FWaaS v1

FWaaS management options are also available in the Dashboard.

#. Enable the FWaaS plug-in in the ``/etc/neutron/neutron.conf`` file:

.. code-block:: ini

service_plugins = firewall

# ...
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default

driver = iptables
enabled = True

.. note::

On Ubuntu, modify the ``[fwaas]`` section in the
``/etc/neutron/fwaas_driver.ini`` file instead of

#. Configure the FWaaS plugin for the L3 agent.

In the ``AGENT`` section of ``l3_agent.ini``, make sure the FWaaS extension
is loaded:

.. code-block:: ini

extensions = fwaas

Edit the FWaaS section in the ``/etc/neutron/neutron.conf`` file to indicate
the agent version and driver:

.. code-block:: ini

agent_version = v1
driver = iptables
enabled = True
conntrack_driver = conntrack

#. Create the required tables in the database:

.. code-block:: console

# neutron-db-manage --subproject neutron-fwaas upgrade head

#. Restart the ``neutron-l3-agent`` and ``neutron-server`` services
to apply the settings.

Configure Firewall-as-a-Service v1

Create the firewall rules and create a policy that contains them.
Then, create a firewall that applies the policy.

#. Create a firewall rule:

.. code-block:: console

$ neutron firewall-rule-create --protocol {tcp,udp,icmp,any} \
--source-ip-address SOURCE_IP_ADDRESS \
--destination-ip-address DESTINATION_IP_ADDRESS \
--source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
--action {allow,deny,reject}

The Networking client requires a protocol value. If the rule is protocol
agnostic, you can use the ``any`` value.

.. note::

When the source or destination IP address are not of the same IP
version (for example, IPv6), the command returns an error.

#. Create a firewall policy:

.. code-block:: console

$ neutron firewall-policy-create --firewall-rules \
"FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy

Separate firewall rule IDs or names with spaces. The order in which you
specify the rules is important.

You can create a firewall policy without any rules and add rules later,
as follows:

* To add multiple rules, use the update operation.

* To add a single rule, use the insert-rule operation.

For more details, see `Networking command-line client
in the OpenStack Command-Line Interface Reference.

.. note::

FWaaS always adds a default ``deny all`` rule at the lowest precedence
of each policy. Consequently, a firewall policy with no rules blocks
all traffic by default.

#. Create a firewall:

.. code-block:: console

$ neutron firewall-create FIREWALL_POLICY_UUID

.. note::

The firewall remains in PENDING\_CREATE state until you create a
Networking router and attach an interface to it.

+ 24
- 34
doc/source/admin/fwaas.rst View File

@@ -4,10 +4,6 @@ Firewall-as-a-Service (FWaaS)
The Firewall-as-a-Service (FWaaS) plug-in applies firewalls to
OpenStack objects such as projects, routers, and router ports.

.. note::

We anticipate this to expand to VM ports in the Ocata cycle.

The central concepts with OpenStack firewalls are the notions of a firewall
policy and a firewall rule. A policy is an ordered collection of rules. A rule
specifies a collection of attributes (such as port ranges, protocol, and IP
@@ -20,17 +16,6 @@ example, an iptables driver implements firewalls using iptable rules. An
OpenVSwitch driver implements firewall rules using flow entries in flow tables.
A Cisco firewall driver manipulates NSX devices.

FWaaS v1

The original FWaaS implementation, v1, provides protection for routers. When
a firewall is applied to a router, all internal ports are protected.

The following diagram depicts FWaaS v1 protection. It illustrates the flow of
ingress and egress traffic for the VM2 instance:

.. figure:: figures/fwaas.png

FWaaS v2

@@ -41,28 +26,33 @@ policy. A firewall group is applied not at the router level (all ports on a
router) but at the port level. Currently, router ports can be specified. For
Ocata, VM ports can also be specified.

FWaaS v1 versus v2
FWaaS v1

FWaaS v1 was deprecated in the Newton cycle and removed entirely in the Stein

FWaaS Feature Matrix

The following table compares v1 and v2 features.
The following table shows FWaaS v2 features.

| Feature | v1 | v2 |
| Supports L3 firewalling for routers | YES | NO* |
| Supports L3 firewalling for router ports | NO | YES |
| Supports L2 firewalling (VM ports) | NO | YES |
| CLI support | YES | YES |
| Horizon support | YES | NO |
| Feature | Supported |
| Supports L3 firewalling for routers | NO* |
| Supports L3 firewalling for router ports | YES |
| Supports L2 firewalling (VM ports) | YES |
| CLI support | YES |
| Horizon support | NO |

\* A firewall group can be applied to all ports on a given router in order to
effect this.

For further information, see `v1 configuration guide
<./fwaas-v1-scenario.html>`_ or
`v2 configuration guide <./fwaas-v2-scenario.html>`_.
For further information, see the
`FWaaS v2 configuration guide <./fwaas-v2-scenario.html>`_.

+ 0
- 1
doc/source/admin/misc.rst View File

@@ -8,7 +8,6 @@ Miscellaneous
:maxdepth: 2