After seeing that vYatta requires a driver plugged in to the interface,
i gave up debugging it.
Now i am trying vArmour driver. Looks simpler. Many things are clearer
except from that they have their own L3 agent. It sees it should be
enabling API calls when a new router is added, removed or updated. I
tried with a Liberty devstack environment but couldn't managed to fall
to debug into line
https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L294
I tried adding a router and removing it. Each time when the code
execution comes to the line
https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L278
the global agent code is executed and i couldn't find when the snat or
floating ip functions are called.
Any idea?
I am also looking for the vArmour firewall software to test, but seems
even for trial version it is not possible, since i applied from their
site for a demo version, i couldn't get any return yet.
On 11/23/2015 08:25 AM, Germy Lure wrote:
Hi,
Under current FWaaS architecture or framework, only integrating
hardware firewall is not easy. That requires neutron support service
level multiple vendors. In another word, vendors must fit each other
for their services while currently vendors just provides all services
through controller.
I think the root cause is Neutron just doesn't known how the network
devices connect each other. Neutron provides FW, LB, VPN and other
advanced network functionalists as services. But as the implementation
layer, Neutron needs TOPO info to make right decision, routing traffic
to the right device. For example, from namespace router to hardware
firewall, Neutron should add some internal routes even extra L3
interfaces according to the connection relationship between them. If
the firewall service is integrated with router, like Vyatta, it's
simple. The only thing you need to do is just enable the firewall itself.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
