[Switch] neutron fwaas

Openstack neutron fwaas Learning (by quqi99)

Zhang Hua posted on:
Copyright statement: can be reproduced at will, reprint, please be sure to mark the original source and author information in the form of Hyperlink and this copyright statement (http://blog.csdn.net/quqi99)

Another firewall-related article, firewall (by quqi99) http://blog.csdn.net/quqi99/article/details/7447233 in openstack

The network component of openstack has been renamed from quantum to neutron. Previously, quantum had a security group implementation,It runs on every computing node.To:

1) filter the traffic that enters the VM on the computing node

2) filter the traffic from the VM (this is not supported by the Nova-Network)

3) filter traffic between VMS

The general usage and implementation of security groups are as follows:

$ Nova secgroup-create mygroup description

$ Nova secgroup-add-Rule mygroup TCP 22 22 192.168.1.0/24

$ Nova boot -- flavor 1 -- image f16f1d2d-71d6-41b7-98a5-319f142d61f5 -- security_groups mygroup I1

The preceding security group is composed of a series of iptable rule rules for soure/dest ip addresses and TCP ports. It cannot express application features like audited rules like the next-generation firewall, nor does it provide edge firewall features. So when neutron provides L4/L7 layer framework, it will also launch the fwaas Service (https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/edit? PLI = 1 ).

In fwaas, tenant can create multiple firewall instances, and each virtual firewall instance is associated with Multiple Firewall indexes ies. Each firewall variety ies consists of multiple firewall rules in sequence. A rule cannot be applied directly. It must be added to a policy because it needs to be audited first. For example:

Application scenarios of multi-layer firewalls are as follows:

The neutron L3 Agent runs on the gateway host. it instantiates multiple neutron router through the namespace feature of Linux, and one tenant can use multiple router. See, the QR-xxx Virtual Interface in the router is used to connect to the tenant network, and the QG-xxx Virtual Interface is used to connect to the external network. The Firewall Service should be used to filter all traffic in and out of the tenant network,SoFirewallpolicyIt should be applied inQR-xxxOn the Virtual Interface (IptablesExitRule"-OQR-+"You can add entry rules"-Iqr-+"You can.),If it applies to all Tenant networks, it can be used on the QG-xxx interface (but this version of Havana does not implement this and does not implement the concept of zones, A group like the QR-xxx interface above can form a zone without checking the address sppofing ).Therefore, firewall rules should be applied not only to computing nodes, but also to the corresponding security groups.Tenant's RouterCorrespondingNamespace(This is the so-called edge firewall rules ).

There will be four chains, one for both outbound and inbound, and one for IPv4 and one for IPv6. :

Therefore, there are several methods in fwaasagent:

1. Create_firewall (apply_list, fireall), fireall refers to a group of above firewall rules, apply_list refers to some networknamespaces

2. Update_firewall (apply_list, fireall)

3. Delete_firewall (apply_list, fireall)

Where to apply the above firewallinstance to the VM should involve the L4/L7 service framework. In the past, neutron only had a level-1 plug-in structure (such as ovs plug-in, such as linuxbridge plug-in), but now the L4/L7 layer service framework has been introduced and then changed to two layers, that is, several services (such as lbaas and fwaas) can be added under a core plug-in (such as ovs plug-in ). See: https://docs.google.com/document/d/1iLzieNKxM7xip_lRidmalAhF_6-Yf1b_cePF4yeAnkQ/edit? PLI = 1,

Related advanced code and BP:

1) firewallas a service (fwaas) APIs and DB model, https://review.openstack.org/29004

2) fwaas agent, https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas-agent

3)  FwaaS Plugin, https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas-plugin  4)  FwaaS ip tables driver https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas-iptables-driver