[openstack-dev] [Neutron] FWaaS - question about drivers
Sumit Naiksatam
sumitnaiksatam at gmail.com
Sat Feb 21 00:20:13 UTC 2015
Inline...
On Fri, Feb 20, 2015 at 3:38 PM, Sławek Kapłoński <slawek at kaplonski.pl> wrote:
> Hello,
>
> Thx guys. Now it is clear for me :)
> One more question. I saw that in this service plugin there is hardcoded quota
> 1 firewall per tenant. Do you know why it is so limited? Is there any
> important reason for that?
This is a current limitation of the reference implementation, since we
associate the FWaaS firewall resource with all the neutron routers.
Note that this is not a limitation of the FWaaS model, hence, if your
backend can support it, you can override this limitation.
> And second thing. As there is only one firewall per tenant so all rules from
> it will be applied on all routers (L3 agents) from this tenant and for all
> tenant networks, am I right? If yes, how it is solved to set firewall rules
In general, this limitation is going away in the Kilo release. See the
following patch under review which removes the limitation of one
router per tenant:
https://review.openstack.org/#/c/152697/
> when for example new router is created? L3 agent is asking about rules via rpc
> or FwaaS is sending such notification to L3 agent?
In the current implementation this is automatically reconciled.
Whenever a new router comes up, the FWaaS agent pulls the rules, and
applies it on the interfaces of the new router.
> Sorry if my questions are silly but I didn't do anything with this service
> plugins yet :)
>
> --
> Pozdrawiam / Best regards
> Sławek Kapłoński
> slawek at kaplonski.pl
>
> Dnia piątek, 20 lutego 2015 16:27:33 Doug Wiegley pisze:
>> Same project, shiny new repo.
>>
>> doug
>>
>> > On Feb 20, 2015, at 4:05 PM, Sławek Kapłoński <slawek at kaplonski.pl> wrote:
>> >
>> > Hello,
>> >
>> > Thx for tips. I have one more question. You point me fo neutron-fwaas
>> > project which for me looks like different project then neutron. I saw
>> > fwaas service plugin directly in neutron in Juno. So which "version"
>> > should I use: this neutron-fwaas or service plugin from neutron? Or maybe
>> > it is the same or I misunderstand something?
>> >
>> > --
>> > Pozdrawiam / Best regards
>> > Sławek Kapłoński
>> > slawek at kaplonski.pl
>> >
>> > Dnia piątek, 20 lutego 2015 14:44:21 Sumit Naiksatam pisze:
>> >> Inline...
>> >>
>> >> On Wed, Feb 18, 2015 at 7:48 PM, Vikram Choudhary
>> >>
>> >> <vikram.choudhary at huawei.com> wrote:
>> >>> Hi,
>> >>>
>> >>> You can write your own driver. You can refer to below links for getting
>> >>> some idea about the architecture.
>> >>>
>> >>> https://wiki.openstack.org/wiki/Neutron/ServiceTypeFramework
>> >>
>> >> This is a legacy construct and should not be used.
>> >>
>> >>> https://wiki.openstack.org/wiki/Neutron/LBaaS/Agent
>> >>
>> >> The above pointer is to a LBaaS Agent which is very different from a
>> >> FWaaS driver (which was the original question in the email).
>> >>
>> >> FWaaS does use pluggable drivers and the default is configured here:
>> >> https://github.com/openstack/neutron-fwaas/blob/master/etc/fwaas_driver.i
>> >> ni
>> >>
>> >> For example for FWaaS driver implementation you can check here:
>> >> https://github.com/openstack/neutron-fwaas/tree/master/neutron_fwaas/serv
>> >> ice s/firewall/drivers
>> >>
>> >>> Thanks
>> >>> Vikram
>> >>>
>> >>> -----Original Message-----
>> >>> From: Sławek Kapłoński [mailto: ]
>> >>> Sent: 19 February 2015 02:33
>> >>> To: openstack-dev at lists.openstack.org
>> >>> Subject: [openstack-dev] [Neutron] FWaaS - question about drivers
>> >>>
>> >>> Hello,
>> >>>
>> >>> I'm looking to use FWaaS service plugin with my own router solution (I'm
>> >>> not using L3 agent at all). If I want to use FWaaS plugin also, should I
>> >>> write own driver to it, or should I write own service plugin? I will be
>> >>> grateful for any links to some description about this FWaaS and it's
>> >>> architecture :) Thx a lot for any help
>> >>>
>> >>>
>> >>> --
>> >>> Best regards
>> >>> Sławek Kapłoński
>> >>> slawek at kaplonski.pl
>> >>>
>> >>> ________________________________________________________________________
>> >>> __
>> >>> OpenStack Development Mailing List (not for usage questions)
>> >>> Unsubscribe:
>> >>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>> ________________________________________________________________________
>> >>> __
>> >>> OpenStack Development Mailing List (not for usage questions)
>> >>> Unsubscribe:
>> >>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>> > __________________________________________________________________________
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list