[openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing

Germy Lure germy.lure at gmail.com
Mon Nov 23 06:25:36 UTC 2015


Hi,
Under current FWaaS architecture or framework, only integrating hardware
firewall is not easy. That requires neutron support service level multiple
vendors. In another word, vendors must fit each other for their services
while currently vendors just provides all services through controller.

I think the root cause is Neutron just doesn't known how the network
devices connect each other.  Neutron provides FW, LB, VPN and other
advanced network functionalists as services. But as the implementation
layer, Neutron needs TOPO info to make right decision, routing traffic to
the right device. For example, from namespace router to hardware firewall,
Neutron should add some internal routes even extra L3 interfaces according
to the connection relationship between them. If the firewall service is
integrated with router, like Vyatta, it's simple. The only thing you need
to do is just enable the firewall itself.

All in all, it requires linkage between services, especially between
advanced services and L3 router.

Germy
.

On Fri, Nov 20, 2015 at 9:19 PM, Somanchi Trinath <
trinath.somanchi at freescale.com> wrote:

> Hi-
>
>
>
> As I understand you are not sure on “How to locate the Hardware Appliance”
> which you have as your FW?
>
>
>
> Am I right?  If so you can look into,
> https://github.com/jumpojoy/generic_switch kind of approach.
>
>
>
> -
>
> Trinath
>
>
>
>
>
>
>
> *From:* Oguz Yarimtepe [mailto:oguzyarimtepe at gmail.com]
> *Sent:* Friday, November 20, 2015 5:52 PM
> *To:* OpenStack Development Mailing List (not for usage questions) <
> openstack-dev at lists.openstack.org>
> *Subject:* Re: [openstack-dev] [neutron][fwaas]some architectural advice
> on fwaas driver writing
>
>
>
> I created a sample driver by looking at vArmour driver that is at the
> Github FWaaS repo. I am planning to call the FW's REST API from the
> suitable functions.
>
> The problem is, i am still not sure how to locate the hardware appliance.
> One of the FWaaS guy says that Service Chaining can help, any body has an
> idea or how to insert the fw to OpenStack?
>
> On 11/02/2015 02:36 PM, Somanchi Trinath wrote:
>
> Hi-
>
>
>
> I’m confused. Do you really have an PoC implementation of what is to be
> achieved?
>
>
>
> As I look into these type of Implementations, I would prefer to have proxy
> driver/plugin to get the configuration from Openstack to external
> controller/device and do the rest of the magic.
>
>
>
> -
>
> Trinath
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151123/5e09a712/attachment.html>


More information about the OpenStack-dev mailing list