Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Oguz Yarimtepe]

After seeing that vYatta requires a driver plugged in to the interface, 
i gave up debugging it.


Now i am trying vArmour driver. Looks simpler. Many things are clearer 
except from that they have their own L3 agent. It sees it should be 
enabling API calls when a new router is added, removed or updated. I 
tried with a Liberty devstack environment but couldn't managed to fall 
to debug into line 
https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L294


I tried adding a router and removing it. Each time when the code 
execution comes to the line 
https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L278


the global agent code is executed and i couldn't find when the snat or 
floating ip functions are called.


Any idea?

I am also looking for the vArmour firewall software to test, but seems 
even for trial version it is not possible, since i applied from their 
site for a demo version, i couldn't get any return yet.


On 11/23/2015 08:25 AM, Germy Lure wrote:

Hi,
Under current FWaaS architecture or framework, only integrating 
hardware firewall is not easy. That requires neutron support service 
level multiple vendors. In another word, vendors must fit each other 
for their services while currently vendors just provides all services 
through controller.


I think the root cause is Neutron just doesn't known how the network 
devices connect each other.  Neutron provides FW, LB, VPN and other 
advanced network functionalists as services. But as the implementation 
layer, Neutron needs TOPO info to make right decision, routing traffic 
to the right device. For example, from namespace router to hardware 
firewall, Neutron should add some internal routes even extra L3 
interfaces according to the connection relationship between them. If 
the firewall service is integrated with router, like Vyatta, it's 
simple. The only thing you need to do is just enable the firewall itself.



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Oğuz Yarımtepe]

I am checking the vyatta driver now and they replaced l3 agent with their
own agent and also using a vrouter image for router creation. Our appliance
is not virtual :)
So for the linkage between services, can service chaining help me?

On Mon, Nov 23, 2015 at 8:25 AM, Germy Lure <germy.l...@gmail.com> wrote:

> Hi,
> Under current FWaaS architecture or framework, only integrating hardware
> firewall is not easy. That requires neutron support service level multiple
> vendors. In another word, vendors must fit each other for their services
> while currently vendors just provides all services through controller.
>
> I think the root cause is Neutron just doesn't known how the network
> devices connect each other.  Neutron provides FW, LB, VPN and other
> advanced network functionalists as services. But as the implementation
> layer, Neutron needs TOPO info to make right decision, routing traffic to
> the right device. For example, from namespace router to hardware firewall,
> Neutron should add some internal routes even extra L3 interfaces according
> to the connection relationship between them. If the firewall service is
> integrated with router, like Vyatta, it's simple. The only thing you need
> to do is just enable the firewall itself.
>
> All in all, it requires linkage between services, especially between
> advanced services and L3 router.
>
> Germy
> .
>
> On Fri, Nov 20, 2015 at 9:19 PM, Somanchi Trinath <
> trinath.soman...@freescale.com> wrote:
>
>> Hi-
>>
>>
>>
>> As I understand you are not sure on “How to locate the Hardware
>> Appliance” which you have as your FW?
>>
>>
>>
>> Am I right?  If so you can look into,
>> https://github.com/jumpojoy/generic_switch kind of approach.
>>
>>
>>
>> -
>>
>> Trinath
>>
>>
>>
>>
>>
>>
>>
>> *From:* Oguz Yarimtepe [mailto:oguzyarimt...@gmail.com]
>> *Sent:* Friday, November 20, 2015 5:52 PM
>> *To:* OpenStack Development Mailing List (not for usage questions) <
>> openstack-dev@lists.openstack.org>
>> *Subject:* Re: [openstack-dev] [neutron][fwaas]some architectural advice
>> on fwaas driver writing
>>
>>
>>
>> I created a sample driver by looking at vArmour driver that is at the
>> Github FWaaS repo. I am planning to call the FW's REST API from the
>> suitable functions.
>>
>> The problem is, i am still not sure how to locate the hardware appliance.
>> One of the FWaaS guy says that Service Chaining can help, any body has an
>> idea or how to insert the fw to OpenStack?
>>
>> On 11/02/2015 02:36 PM, Somanchi Trinath wrote:
>>
>> Hi-
>>
>>
>>
>> I’m confused. Do you really have an PoC implementation of what is to be
>> achieved?
>>
>>
>>
>> As I look into these type of Implementations, I would prefer to have
>> proxy driver/plugin to get the configuration from Openstack to external
>> controller/device and do the rest of the magic.
>>
>>
>>
>> -
>>
>> Trinath
>>
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Oğuz Yarımtepe
http://about.me/oguzy
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Eichberger, German]

Oğuz,

Eventually service chaining will help but if you need something to work now 
(and most vendors do) focus on how the other drivers are done. Usually copying 
the other drivers will work best. On the LBaaS side things are often integrated 
with tagged vLans but I haven’ read much of the code…

German

From: Oğuz Yarımtepe <oguzyarimt...@gmail.com<mailto:oguzyarimt...@gmail.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Date: Monday, November 23, 2015 at 5:01 AM
To: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Subject: Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas 
driver writing

I am checking the vyatta driver now and they replaced l3 agent with their own 
agent and also using a vrouter image for router creation. Our appliance is not 
virtual :)
So for the linkage between services, can service chaining help me?

On Mon, Nov 23, 2015 at 8:25 AM, Germy Lure 
<germy.l...@gmail.com<mailto:germy.l...@gmail.com>> wrote:
Hi,
Under current FWaaS architecture or framework, only integrating hardware 
firewall is not easy. That requires neutron support service level multiple 
vendors. In another word, vendors must fit each other for their services while 
currently vendors just provides all services through controller.

I think the root cause is Neutron just doesn't known how the network devices 
connect each other.  Neutron provides FW, LB, VPN and other advanced network 
functionalists as services. But as the implementation layer, Neutron needs TOPO 
info to make right decision, routing traffic to the right device. For example, 
from namespace router to hardware firewall, Neutron should add some internal 
routes even extra L3 interfaces according to the connection relationship 
between them. If the firewall service is integrated with router, like Vyatta, 
it's simple. The only thing you need to do is just enable the firewall itself.

All in all, it requires linkage between services, especially between advanced 
services and L3 router.

Germy
.

On Fri, Nov 20, 2015 at 9:19 PM, Somanchi Trinath 
<trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com>> wrote:
Hi-

As I understand you are not sure on “How to locate the Hardware Appliance” 
which you have as your FW?

Am I right?  If so you can look into, 
https://github.com/jumpojoy/generic_switch kind of approach.

-
Trinath



From: Oguz Yarimtepe 
[mailto:oguzyarimt...@gmail.com<mailto:oguzyarimt...@gmail.com>]
Sent: Friday, November 20, 2015 5:52 PM
To: OpenStack Development Mailing List (not for usage questions) 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Subject: Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas 
driver writing

I created a sample driver by looking at vArmour driver that is at the Github 
FWaaS repo. I am planning to call the FW's REST API from the suitable functions.

The problem is, i am still not sure how to locate the hardware appliance. One 
of the FWaaS guy says that Service Chaining can help, any body has an idea or 
how to insert the fw to OpenStack?
On 11/02/2015 02:36 PM, Somanchi Trinath wrote:
Hi-

I’m confused. Do you really have an PoC implementation of what is to be 
achieved?

As I look into these type of Implementations, I would prefer to have proxy 
driver/plugin to get the configuration from Openstack to external 
controller/device and do the rest of the magic.

-
Trinath


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
Oğuz Yarımtepe
http://about.me/oguzy
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Germy Lure]

Hi,
Under current FWaaS architecture or framework, only integrating hardware
firewall is not easy. That requires neutron support service level multiple
vendors. In another word, vendors must fit each other for their services
while currently vendors just provides all services through controller.

I think the root cause is Neutron just doesn't known how the network
devices connect each other.  Neutron provides FW, LB, VPN and other
advanced network functionalists as services. But as the implementation
layer, Neutron needs TOPO info to make right decision, routing traffic to
the right device. For example, from namespace router to hardware firewall,
Neutron should add some internal routes even extra L3 interfaces according
to the connection relationship between them. If the firewall service is
integrated with router, like Vyatta, it's simple. The only thing you need
to do is just enable the firewall itself.

All in all, it requires linkage between services, especially between
advanced services and L3 router.

Germy
.

On Fri, Nov 20, 2015 at 9:19 PM, Somanchi Trinath <
trinath.soman...@freescale.com> wrote:

> Hi-
>
>
>
> As I understand you are not sure on “How to locate the Hardware Appliance”
> which you have as your FW?
>
>
>
> Am I right?  If so you can look into,
> https://github.com/jumpojoy/generic_switch kind of approach.
>
>
>
> -
>
> Trinath
>
>
>
>
>
>
>
> *From:* Oguz Yarimtepe [mailto:oguzyarimt...@gmail.com]
> *Sent:* Friday, November 20, 2015 5:52 PM
> *To:* OpenStack Development Mailing List (not for usage questions) <
> openstack-dev@lists.openstack.org>
> *Subject:* Re: [openstack-dev] [neutron][fwaas]some architectural advice
> on fwaas driver writing
>
>
>
> I created a sample driver by looking at vArmour driver that is at the
> Github FWaaS repo. I am planning to call the FW's REST API from the
> suitable functions.
>
> The problem is, i am still not sure how to locate the hardware appliance.
> One of the FWaaS guy says that Service Chaining can help, any body has an
> idea or how to insert the fw to OpenStack?
>
> On 11/02/2015 02:36 PM, Somanchi Trinath wrote:
>
> Hi-
>
>
>
> I’m confused. Do you really have an PoC implementation of what is to be
> achieved?
>
>
>
> As I look into these type of Implementations, I would prefer to have proxy
> driver/plugin to get the configuration from Openstack to external
> controller/device and do the rest of the magic.
>
>
>
> -
>
> Trinath
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Somanchi Trinath]

Hi-

As I understand you are not sure on "How to locate the Hardware Appliance" 
which you have as your FW?

Am I right?  If so you can look into, 
https://github.com/jumpojoy/generic_switch kind of approach.

-
Trinath



From: Oguz Yarimtepe [mailto:oguzyarimt...@gmail.com]
Sent: Friday, November 20, 2015 5:52 PM
To: OpenStack Development Mailing List (not for usage questions) 
<openstack-dev@lists.openstack.org>
Subject: Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas 
driver writing

I created a sample driver by looking at vArmour driver that is at the Github 
FWaaS repo. I am planning to call the FW's REST API from the suitable functions.

The problem is, i am still not sure how to locate the hardware appliance. One 
of the FWaaS guy says that Service Chaining can help, any body has an idea or 
how to insert the fw to OpenStack?
On 11/02/2015 02:36 PM, Somanchi Trinath wrote:
Hi-

I'm confused. Do you really have an PoC implementation of what is to be 
achieved?

As I look into these type of Implementations, I would prefer to have proxy 
driver/plugin to get the configuration from Openstack to external 
controller/device and do the rest of the magic.

-
Trinath

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Oguz Yarimtepe]

I created a sample driver by looking at vArmour driver that is at the 
Github FWaaS repo. I am planning to call the FW's REST API from the 
suitable functions.


The problem is, i am still not sure how to locate the hardware 
appliance. One of the FWaaS guy says that Service Chaining can help, any 
body has an idea or how to insert the fw to OpenStack?


On 11/02/2015 02:36 PM, Somanchi Trinath wrote:


Hi-

I’m confused. Do you really have an PoC implementation of what is to 
be achieved?


As I look into these type of Implementations, I would prefer to have 
proxy driver/plugin to get the configuration from Openstack to 
external controller/device and do the rest of the magic.


-

Trinath



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Sean M. Collins]

On Mon, Nov 02, 2015 at 02:39:49AM EST, Oğuz Yarımtepe wrote:
> All i need is to create a firewall but instead of
> using Iptables, i want to use the hardware firewall and be able to define
> filtering rules.

In the current experimental API, Firewalls are
global in scope and cover an entire tenant. There *is* an API extension
(router insertion) that can associate a firewall with a specific tenant
Neutron router, however not every vendor supports it.

You mentioned that your firewall appliance does not route, it just
filters. Depending on how you are routing, and if you are going to
support the router insertion API extension, it could be that your
firewall appliance may not be able to filter all traffic. Unless that
is, you put the firewall appliance in, as a bump in the wire.

Really this all boils down to the point where the Firewall as a Service
API does not have good semantics for where a firewall is inserted, in
all cases. Even with the router insertion API extension, there are cases
where it doesn't cover - like DVR[1].

Currently the FwaaS community is attempting to fix this, by just having
the API express *what* ports a tenant wishes to associate with a
firewall policy, and let the implementation figure out how best to plumb
it, and where to insert filtering rules.

This means that the API will change semantics significantly, and just
inserting a hardware device at the edge would not cover all that the
newer Firewall API will be able to express.

[1]: https://etherpad.openstack.org/p/FWaaS_with_DVR

-- 
Sean M. Collins

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Somanchi Trinath]

Hi –

Based on this “Assuming that, it will not be routing traffic, just filtering, 
and that we will be using virtual routers of Openstack”

As I understand from the email, you might be comfortable to configure the HW-FW 
using the ReST API. So you can write a proxy driver and connect the HW-FW in 
the setup (which you have tested to make it ready to use). The proxy driver 
written helps to Configure the HW-FW and the HW-FW filters the traffic.

Having said that, I assume that the HW-FW has some intelligence to process the 
requests from proxy driver and update the FW configuration.

*HW-FW – Hardware Firewall.

Hope this helps.

-
Trinath


From: Oğuz Yarımtepe [mailto:oguzyarimt...@gmail.com]
Sent: Monday, November 02, 2015 1:10 PM
To: OpenStack Development Mailing List (not for usage questions) 

Subject: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas 
driver writing

Hi,
After talking with FWaaS developers at the summit (German and Sridar), i 
decided to write here also, maybe someone has an idea. I am trying to integrate 
a hardware firewall to our Openstack environment. It is a custom hardware 
running BSD on it and has a REST API for configuring. I talked with Sridar, he 
gave me the brief understanding of how FWaaS driver is working.
Either i will be hacking the community driver and calling the REST API or 
writing the driver and calling the REST API there. The problem is, we couldn't 
figured it out how will the hardware firewall be working. Assuming that, it 
will not be routing traffic, just filtering, and that we will be using virtual 
routers of Openstack, do you have a reference architecture for such a case? It 
seems everyone has its own way of using firewall appliances in OpenStack. All i 
need is to create a firewall but instead of using Iptables, i want to use the 
hardware firewall and be able to define filtering rules.
FWaaS guys said that there will be API changes in the future so at Mitaka, it 
seems the way of FWaaS will be changing and there are some plans about merging 
FWaaS and security groups.
I am now using Kilo, the solution also will be working at Liberty also. Will be 
great if you give some guidance.
Regards.

--
Oğuz Yarımtepe
http://about.me/oguzy
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Oğuz Yarımtepe]

Hi,

On Mon, Nov 2, 2015 at 11:25 AM, Somanchi Trinath <
trinath.soman...@freescale.com> wrote:

> Hi –
>
>
>
> Based on this “Assuming that, it will not be routing traffic, just
> filtering, and that we will be using virtual routers of Openstack”
>
>
>
> As I understand from the email, you might be comfortable to configure the
> HW-FW using the ReST API. So you can write a proxy driver and connect the
> HW-FW in the setup (which you have tested to make it ready to use). The
> proxy driver written helps to Configure the HW-FW and the HW-FW filters the
> traffic.
>
>
>
> Having said that, I assume that the HW-FW has some intelligence to process
> the requests from proxy driver and update the FW configuration.
>
>
>

To be sure, calling the REST API at
https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py#L62
for ex to create a firewall is what you are talking about. Instead of
iptables, a new driver will be written to handle CRUD operations.

To distinguish the tenant networks, i will be using vlan or vxlan ids while
entering firewall rules, i think.



> *HW-FW – Hardware Firewall.
>
>
>
> Hope this helps.
>
>
>
> -
>
> Trinath
>
>
>


Did I understand you right, about the proxy driver?
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Somanchi Trinath]

Hi-

I’m confused. Do you really have an PoC implementation of what is to be 
achieved?

As I look into these type of Implementations, I would prefer to have proxy 
driver/plugin to get the configuration from Openstack to external 
controller/device and do the rest of the magic.

-
Trinath

From: Oğuz Yarımtepe [mailto:oguzyarimt...@gmail.com]
Sent: Monday, November 02, 2015 4:36 PM
To: OpenStack Development Mailing List (not for usage questions) 
<openstack-dev@lists.openstack.org>
Subject: Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas 
driver writing

Hi,

On Mon, Nov 2, 2015 at 11:25 AM, Somanchi Trinath 
<trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com>> wrote:
Hi –

Based on this “Assuming that, it will not be routing traffic, just filtering, 
and that we will be using virtual routers of Openstack”

As I understand from the email, you might be comfortable to configure the HW-FW 
using the ReST API. So you can write a proxy driver and connect the HW-FW in 
the setup (which you have tested to make it ready to use). The proxy driver 
written helps to Configure the HW-FW and the HW-FW filters the traffic.

Having said that, I assume that the HW-FW has some intelligence to process the 
requests from proxy driver and update the FW configuration.


To be sure, calling the REST API at 
https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py#L62
 for ex to create a firewall is what you are talking about. Instead of 
iptables, a new driver will be written to handle CRUD operations.
To distinguish the tenant networks, i will be using vlan or vxlan ids while 
entering firewall rules, i think.


*HW-FW – Hardware Firewall.

Hope this helps.

-
Trinath


Did I understand you right, about the proxy driver?

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

[Oğuz Yarımtepe]

On Mon, Nov 2, 2015 at 1:36 PM, Somanchi Trinath <
trinath.soman...@freescale.com> wrote:

> Hi-
>
>
>

Hi,


> I’m confused. Do you really have an PoC implementation of what is to be
> achieved?
>
>

No indeed. I am using iptables driver to understand the FWaaS structure and
trying to replace it with our hw fw. Now my plan is to just create a fw
with some rules defined on it.


>
>
> As I look into these type of Implementations, I would prefer to have proxy
> driver/plugin to get the configuration from Openstack to external
> controller/device and do the rest of the magic.
>

Now i am bit confused about that proxy driver. Are we talking about
something like
https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
or another external app to handle the issues? Can you make this proxy part
a bit clearer?
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev