[openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

Oguz Yarimtepe oguzyarimtepe at gmail.com
Mon Dec 28 07:57:42 UTC 2015


After seeing that vYatta requires a driver plugged in to the interface, 
i gave up debugging it.

Now i am trying vArmour driver. Looks simpler. Many things are clearer 
except from that they have their own L3 agent. It sees it should be 
enabling API calls when a new router is added, removed or updated. I 
tried with a Liberty devstack environment but couldn't managed to fall 
to debug into line 
https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L294

I tried adding a router and removing it. Each time when the code 
execution comes to the line 
https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L278

the global agent code is executed and i couldn't find when the snat or 
floating ip functions are called.

Any idea?

I am also looking for the vArmour firewall software to test, but seems 
even for trial version it is not possible, since i applied from their 
site for a demo version, i couldn't get any return yet.

On 11/23/2015 08:25 AM, Germy Lure wrote:
> Hi,
> Under current FWaaS architecture or framework, only integrating 
> hardware firewall is not easy. That requires neutron support service 
> level multiple vendors. In another word, vendors must fit each other 
> for their services while currently vendors just provides all services 
> through controller.
>
> I think the root cause is Neutron just doesn't known how the network 
> devices connect each other.  Neutron provides FW, LB, VPN and other 
> advanced network functionalists as services. But as the implementation 
> layer, Neutron needs TOPO info to make right decision, routing traffic 
> to the right device. For example, from namespace router to hardware 
> firewall, Neutron should add some internal routes even extra L3 
> interfaces according to the connection relationship between them. If 
> the firewall service is integrated with router, like Vyatta, it's 
> simple. The only thing you need to do is just enable the firewall itself.




More information about the OpenStack-dev mailing list