[openstack-dev] [fwaas] vArmour code question, when the snat dnat process router is triggered?
Hi, I am trying to understand the vArmour fwaas driver. Testing it on Devstack Liberty environment. Configured it and running its L3 agent replacement also. But i couldn't find when the code execution comes to the line https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L296 I tried adding a new router, removing a router but couldn't managed to debug to that line. What am i missing? Regards. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
After seeing that vYatta requires a driver plugged in to the interface, i gave up debugging it. Now i am trying vArmour driver. Looks simpler. Many things are clearer except from that they have their own L3 agent. It sees it should be enabling API calls when a new router is added, removed or updated. I tried with a Liberty devstack environment but couldn't managed to fall to debug into line https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L294 I tried adding a router and removing it. Each time when the code execution comes to the line https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L278 the global agent code is executed and i couldn't find when the snat or floating ip functions are called. Any idea? I am also looking for the vArmour firewall software to test, but seems even for trial version it is not possible, since i applied from their site for a demo version, i couldn't get any return yet. On 11/23/2015 08:25 AM, Germy Lure wrote: Hi, Under current FWaaS architecture or framework, only integrating hardware firewall is not easy. That requires neutron support service level multiple vendors. In another word, vendors must fit each other for their services while currently vendors just provides all services through controller. I think the root cause is Neutron just doesn't known how the network devices connect each other. Neutron provides FW, LB, VPN and other advanced network functionalists as services. But as the implementation layer, Neutron needs TOPO info to make right decision, routing traffic to the right device. For example, from namespace router to hardware firewall, Neutron should add some internal routes even extra L3 interfaces according to the connection relationship between them. If the firewall service is integrated with router, like Vyatta, it's simple. The only thing you need to do is just enable the firewall itself. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [keystone] RBAC usage at production
Hi, I am wondering whether there are people using RBAC at production. The policy.json file has a structure that requires restart of the service each time you edit the file. Is there and on the fly solution or tips about it? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][fwaas]
Hi, I am trying to fork vArmour FWaaS driver and didn't find how and when https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L276 function is called. I put pdb traces but starting neutron-l3-agent never fall in to a debug state. Any vArmour developer here that can help me? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][sfc]
Hi, Is there any working Devstack configuration for sfc testing? I just saw one commit that is waiting review. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
I created a sample driver by looking at vArmour driver that is at the Github FWaaS repo. I am planning to call the FW's REST API from the suitable functions. The problem is, i am still not sure how to locate the hardware appliance. One of the FWaaS guy says that Service Chaining can help, any body has an idea or how to insert the fw to OpenStack? On 11/02/2015 02:36 PM, Somanchi Trinath wrote: Hi- I’m confused. Do you really have an PoC implementation of what is to be achieved? As I look into these type of Implementations, I would prefer to have proxy driver/plugin to get the configuration from Openstack to external controller/device and do the rest of the magic. - Trinath __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
