Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
After seeing that vYatta requires a driver plugged in to the interface, i gave up debugging it. Now i am trying vArmour driver. Looks simpler. Many things are clearer except from that they have their own L3 agent. It sees it should be enabling API calls when a new router is added, removed or updated. I tried with a Liberty devstack environment but couldn't managed to fall to debug into line https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L294 I tried adding a router and removing it. Each time when the code execution comes to the line https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L278 the global agent code is executed and i couldn't find when the snat or floating ip functions are called. Any idea? I am also looking for the vArmour firewall software to test, but seems even for trial version it is not possible, since i applied from their site for a demo version, i couldn't get any return yet. On 11/23/2015 08:25 AM, Germy Lure wrote: Hi, Under current FWaaS architecture or framework, only integrating hardware firewall is not easy. That requires neutron support service level multiple vendors. In another word, vendors must fit each other for their services while currently vendors just provides all services through controller. I think the root cause is Neutron just doesn't known how the network devices connect each other. Neutron provides FW, LB, VPN and other advanced network functionalists as services. But as the implementation layer, Neutron needs TOPO info to make right decision, routing traffic to the right device. For example, from namespace router to hardware firewall, Neutron should add some internal routes even extra L3 interfaces according to the connection relationship between them. If the firewall service is integrated with router, like Vyatta, it's simple. The only thing you need to do is just enable the firewall itself. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
I am checking the vyatta driver now and they replaced l3 agent with their own agent and also using a vrouter image for router creation. Our appliance is not virtual :) So for the linkage between services, can service chaining help me? On Mon, Nov 23, 2015 at 8:25 AM, Germy Lure <germy.l...@gmail.com> wrote: > Hi, > Under current FWaaS architecture or framework, only integrating hardware > firewall is not easy. That requires neutron support service level multiple > vendors. In another word, vendors must fit each other for their services > while currently vendors just provides all services through controller. > > I think the root cause is Neutron just doesn't known how the network > devices connect each other. Neutron provides FW, LB, VPN and other > advanced network functionalists as services. But as the implementation > layer, Neutron needs TOPO info to make right decision, routing traffic to > the right device. For example, from namespace router to hardware firewall, > Neutron should add some internal routes even extra L3 interfaces according > to the connection relationship between them. If the firewall service is > integrated with router, like Vyatta, it's simple. The only thing you need > to do is just enable the firewall itself. > > All in all, it requires linkage between services, especially between > advanced services and L3 router. > > Germy > . > > On Fri, Nov 20, 2015 at 9:19 PM, Somanchi Trinath < > trinath.soman...@freescale.com> wrote: > >> Hi- >> >> >> >> As I understand you are not sure on “How to locate the Hardware >> Appliance” which you have as your FW? >> >> >> >> Am I right? If so you can look into, >> https://github.com/jumpojoy/generic_switch kind of approach. >> >> >> >> - >> >> Trinath >> >> >> >> >> >> >> >> *From:* Oguz Yarimtepe [mailto:oguzyarimt...@gmail.com] >> *Sent:* Friday, November 20, 2015 5:52 PM >> *To:* OpenStack Development Mailing List (not for usage questions) < >> openstack-dev@lists.openstack.org> >> *Subject:* Re: [openstack-dev] [neutron][fwaas]some architectural advice >> on fwaas driver writing >> >> >> >> I created a sample driver by looking at vArmour driver that is at the >> Github FWaaS repo. I am planning to call the FW's REST API from the >> suitable functions. >> >> The problem is, i am still not sure how to locate the hardware appliance. >> One of the FWaaS guy says that Service Chaining can help, any body has an >> idea or how to insert the fw to OpenStack? >> >> On 11/02/2015 02:36 PM, Somanchi Trinath wrote: >> >> Hi- >> >> >> >> I’m confused. Do you really have an PoC implementation of what is to be >> achieved? >> >> >> >> As I look into these type of Implementations, I would prefer to have >> proxy driver/plugin to get the configuration from Openstack to external >> controller/device and do the rest of the magic. >> >> >> >> - >> >> Trinath >> >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Oğuz, Eventually service chaining will help but if you need something to work now (and most vendors do) focus on how the other drivers are done. Usually copying the other drivers will work best. On the LBaaS side things are often integrated with tagged vLans but I haven’ read much of the code… German From: Oğuz Yarımtepe <oguzyarimt...@gmail.com<mailto:oguzyarimt...@gmail.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Monday, November 23, 2015 at 5:01 AM To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing I am checking the vyatta driver now and they replaced l3 agent with their own agent and also using a vrouter image for router creation. Our appliance is not virtual :) So for the linkage between services, can service chaining help me? On Mon, Nov 23, 2015 at 8:25 AM, Germy Lure <germy.l...@gmail.com<mailto:germy.l...@gmail.com>> wrote: Hi, Under current FWaaS architecture or framework, only integrating hardware firewall is not easy. That requires neutron support service level multiple vendors. In another word, vendors must fit each other for their services while currently vendors just provides all services through controller. I think the root cause is Neutron just doesn't known how the network devices connect each other. Neutron provides FW, LB, VPN and other advanced network functionalists as services. But as the implementation layer, Neutron needs TOPO info to make right decision, routing traffic to the right device. For example, from namespace router to hardware firewall, Neutron should add some internal routes even extra L3 interfaces according to the connection relationship between them. If the firewall service is integrated with router, like Vyatta, it's simple. The only thing you need to do is just enable the firewall itself. All in all, it requires linkage between services, especially between advanced services and L3 router. Germy . On Fri, Nov 20, 2015 at 9:19 PM, Somanchi Trinath <trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com>> wrote: Hi- As I understand you are not sure on “How to locate the Hardware Appliance” which you have as your FW? Am I right? If so you can look into, https://github.com/jumpojoy/generic_switch kind of approach. - Trinath From: Oguz Yarimtepe [mailto:oguzyarimt...@gmail.com<mailto:oguzyarimt...@gmail.com>] Sent: Friday, November 20, 2015 5:52 PM To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing I created a sample driver by looking at vArmour driver that is at the Github FWaaS repo. I am planning to call the FW's REST API from the suitable functions. The problem is, i am still not sure how to locate the hardware appliance. One of the FWaaS guy says that Service Chaining can help, any body has an idea or how to insert the fw to OpenStack? On 11/02/2015 02:36 PM, Somanchi Trinath wrote: Hi- I’m confused. Do you really have an PoC implementation of what is to be achieved? As I look into these type of Implementations, I would prefer to have proxy driver/plugin to get the configuration from Openstack to external controller/device and do the rest of the magic. - Trinath __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Hi, Under current FWaaS architecture or framework, only integrating hardware firewall is not easy. That requires neutron support service level multiple vendors. In another word, vendors must fit each other for their services while currently vendors just provides all services through controller. I think the root cause is Neutron just doesn't known how the network devices connect each other. Neutron provides FW, LB, VPN and other advanced network functionalists as services. But as the implementation layer, Neutron needs TOPO info to make right decision, routing traffic to the right device. For example, from namespace router to hardware firewall, Neutron should add some internal routes even extra L3 interfaces according to the connection relationship between them. If the firewall service is integrated with router, like Vyatta, it's simple. The only thing you need to do is just enable the firewall itself. All in all, it requires linkage between services, especially between advanced services and L3 router. Germy . On Fri, Nov 20, 2015 at 9:19 PM, Somanchi Trinath < trinath.soman...@freescale.com> wrote: > Hi- > > > > As I understand you are not sure on “How to locate the Hardware Appliance” > which you have as your FW? > > > > Am I right? If so you can look into, > https://github.com/jumpojoy/generic_switch kind of approach. > > > > - > > Trinath > > > > > > > > *From:* Oguz Yarimtepe [mailto:oguzyarimt...@gmail.com] > *Sent:* Friday, November 20, 2015 5:52 PM > *To:* OpenStack Development Mailing List (not for usage questions) < > openstack-dev@lists.openstack.org> > *Subject:* Re: [openstack-dev] [neutron][fwaas]some architectural advice > on fwaas driver writing > > > > I created a sample driver by looking at vArmour driver that is at the > Github FWaaS repo. I am planning to call the FW's REST API from the > suitable functions. > > The problem is, i am still not sure how to locate the hardware appliance. > One of the FWaaS guy says that Service Chaining can help, any body has an > idea or how to insert the fw to OpenStack? > > On 11/02/2015 02:36 PM, Somanchi Trinath wrote: > > Hi- > > > > I’m confused. Do you really have an PoC implementation of what is to be > achieved? > > > > As I look into these type of Implementations, I would prefer to have proxy > driver/plugin to get the configuration from Openstack to external > controller/device and do the rest of the magic. > > > > - > > Trinath > > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Hi- As I understand you are not sure on "How to locate the Hardware Appliance" which you have as your FW? Am I right? If so you can look into, https://github.com/jumpojoy/generic_switch kind of approach. - Trinath From: Oguz Yarimtepe [mailto:oguzyarimt...@gmail.com] Sent: Friday, November 20, 2015 5:52 PM To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing I created a sample driver by looking at vArmour driver that is at the Github FWaaS repo. I am planning to call the FW's REST API from the suitable functions. The problem is, i am still not sure how to locate the hardware appliance. One of the FWaaS guy says that Service Chaining can help, any body has an idea or how to insert the fw to OpenStack? On 11/02/2015 02:36 PM, Somanchi Trinath wrote: Hi- I'm confused. Do you really have an PoC implementation of what is to be achieved? As I look into these type of Implementations, I would prefer to have proxy driver/plugin to get the configuration from Openstack to external controller/device and do the rest of the magic. - Trinath __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
I created a sample driver by looking at vArmour driver that is at the Github FWaaS repo. I am planning to call the FW's REST API from the suitable functions. The problem is, i am still not sure how to locate the hardware appliance. One of the FWaaS guy says that Service Chaining can help, any body has an idea or how to insert the fw to OpenStack? On 11/02/2015 02:36 PM, Somanchi Trinath wrote: Hi- I’m confused. Do you really have an PoC implementation of what is to be achieved? As I look into these type of Implementations, I would prefer to have proxy driver/plugin to get the configuration from Openstack to external controller/device and do the rest of the magic. - Trinath __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
On Mon, Nov 02, 2015 at 02:39:49AM EST, Oğuz Yarımtepe wrote: > All i need is to create a firewall but instead of > using Iptables, i want to use the hardware firewall and be able to define > filtering rules. In the current experimental API, Firewalls are global in scope and cover an entire tenant. There *is* an API extension (router insertion) that can associate a firewall with a specific tenant Neutron router, however not every vendor supports it. You mentioned that your firewall appliance does not route, it just filters. Depending on how you are routing, and if you are going to support the router insertion API extension, it could be that your firewall appliance may not be able to filter all traffic. Unless that is, you put the firewall appliance in, as a bump in the wire. Really this all boils down to the point where the Firewall as a Service API does not have good semantics for where a firewall is inserted, in all cases. Even with the router insertion API extension, there are cases where it doesn't cover - like DVR[1]. Currently the FwaaS community is attempting to fix this, by just having the API express *what* ports a tenant wishes to associate with a firewall policy, and let the implementation figure out how best to plumb it, and where to insert filtering rules. This means that the API will change semantics significantly, and just inserting a hardware device at the edge would not cover all that the newer Firewall API will be able to express. [1]: https://etherpad.openstack.org/p/FWaaS_with_DVR -- Sean M. Collins __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Hi – Based on this “Assuming that, it will not be routing traffic, just filtering, and that we will be using virtual routers of Openstack” As I understand from the email, you might be comfortable to configure the HW-FW using the ReST API. So you can write a proxy driver and connect the HW-FW in the setup (which you have tested to make it ready to use). The proxy driver written helps to Configure the HW-FW and the HW-FW filters the traffic. Having said that, I assume that the HW-FW has some intelligence to process the requests from proxy driver and update the FW configuration. *HW-FW – Hardware Firewall. Hope this helps. - Trinath From: Oğuz Yarımtepe [mailto:oguzyarimt...@gmail.com] Sent: Monday, November 02, 2015 1:10 PM To: OpenStack Development Mailing List (not for usage questions)Subject: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing Hi, After talking with FWaaS developers at the summit (German and Sridar), i decided to write here also, maybe someone has an idea. I am trying to integrate a hardware firewall to our Openstack environment. It is a custom hardware running BSD on it and has a REST API for configuring. I talked with Sridar, he gave me the brief understanding of how FWaaS driver is working. Either i will be hacking the community driver and calling the REST API or writing the driver and calling the REST API there. The problem is, we couldn't figured it out how will the hardware firewall be working. Assuming that, it will not be routing traffic, just filtering, and that we will be using virtual routers of Openstack, do you have a reference architecture for such a case? It seems everyone has its own way of using firewall appliances in OpenStack. All i need is to create a firewall but instead of using Iptables, i want to use the hardware firewall and be able to define filtering rules. FWaaS guys said that there will be API changes in the future so at Mitaka, it seems the way of FWaaS will be changing and there are some plans about merging FWaaS and security groups. I am now using Kilo, the solution also will be working at Liberty also. Will be great if you give some guidance. Regards. -- Oğuz Yarımtepe http://about.me/oguzy __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Hi, On Mon, Nov 2, 2015 at 11:25 AM, Somanchi Trinath < trinath.soman...@freescale.com> wrote: > Hi – > > > > Based on this “Assuming that, it will not be routing traffic, just > filtering, and that we will be using virtual routers of Openstack” > > > > As I understand from the email, you might be comfortable to configure the > HW-FW using the ReST API. So you can write a proxy driver and connect the > HW-FW in the setup (which you have tested to make it ready to use). The > proxy driver written helps to Configure the HW-FW and the HW-FW filters the > traffic. > > > > Having said that, I assume that the HW-FW has some intelligence to process > the requests from proxy driver and update the FW configuration. > > > To be sure, calling the REST API at https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py#L62 for ex to create a firewall is what you are talking about. Instead of iptables, a new driver will be written to handle CRUD operations. To distinguish the tenant networks, i will be using vlan or vxlan ids while entering firewall rules, i think. > *HW-FW – Hardware Firewall. > > > > Hope this helps. > > > > - > > Trinath > > > Did I understand you right, about the proxy driver? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Hi- I’m confused. Do you really have an PoC implementation of what is to be achieved? As I look into these type of Implementations, I would prefer to have proxy driver/plugin to get the configuration from Openstack to external controller/device and do the rest of the magic. - Trinath From: Oğuz Yarımtepe [mailto:oguzyarimt...@gmail.com] Sent: Monday, November 02, 2015 4:36 PM To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing Hi, On Mon, Nov 2, 2015 at 11:25 AM, Somanchi Trinath <trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com>> wrote: Hi – Based on this “Assuming that, it will not be routing traffic, just filtering, and that we will be using virtual routers of Openstack” As I understand from the email, you might be comfortable to configure the HW-FW using the ReST API. So you can write a proxy driver and connect the HW-FW in the setup (which you have tested to make it ready to use). The proxy driver written helps to Configure the HW-FW and the HW-FW filters the traffic. Having said that, I assume that the HW-FW has some intelligence to process the requests from proxy driver and update the FW configuration. To be sure, calling the REST API at https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py#L62 for ex to create a firewall is what you are talking about. Instead of iptables, a new driver will be written to handle CRUD operations. To distinguish the tenant networks, i will be using vlan or vxlan ids while entering firewall rules, i think. *HW-FW – Hardware Firewall. Hope this helps. - Trinath Did I understand you right, about the proxy driver? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
On Mon, Nov 2, 2015 at 1:36 PM, Somanchi Trinath < trinath.soman...@freescale.com> wrote: > Hi- > > > Hi, > I’m confused. Do you really have an PoC implementation of what is to be > achieved? > > No indeed. I am using iptables driver to understand the FWaaS structure and trying to replace it with our hw fw. Now my plan is to just create a fw with some rules defined on it. > > > As I look into these type of Implementations, I would prefer to have proxy > driver/plugin to get the configuration from Openstack to external > controller/device and do the rest of the magic. > Now i am bit confused about that proxy driver. Are we talking about something like https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py or another external app to handle the issues? Can you make this proxy part a bit clearer? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev