Exacly Slawek. Ralph I was referring to the sentence 'Perimeter-Firewall' OpenStack provides a Perimeter-Firewall and that is a Security Groups. https://docs.openstack.org/nova/queens/admin/security-groups.html SG (Security Groups) is something different than FWaaS. Though FWaaS to some degree could also provide a SG functionality, as it can bind to AFAIK and Neutron port. On Thu, Jul 11, 2019 at 1:22 PM Slawek Kaplonski <skaplons@redhat.com> wrote:
Hi,
Security groups are supported by both Linuxbridge and OVS agents. But this is different solution than FWaaS. Security groups are applied on port’s level, not on router.
On 11 Jul 2019, at 13:13, Teckelmann, Ralf, NMU-OIP < ralf.teckelmann@bertelsmann.de> wrote:
Hello Adam,
You may missed the part „in regard of a Stein-Deployment with Linuxbridges” of my question. So OVS is not relevant, as I understand the mutual exclusion of linux bridges and ovs.
Cheers,
Ralf T.
Von: Adam Heczko <aheczko@mirantis.com> Gesendet: Donnerstag, 11. Juli 2019 12:55 An: Slawek Kaplonski <skaplons@redhat.com> Cc: Teckelmann, Ralf, NMU-OIP <ralf.teckelmann@bertelsmann.de>; openstack-discuss@lists.openstack.org Betreff: Re: FWaaS in Stein - NoMatches: No 'neutron.service_plugins' driver found, looking for 'firewall'
Hi Ralf, WDYM saying 'no Perimeter-Firewall is offered anymore'? OpenStack with OVS ML2 provides a security groups, which is considered a 'perimeter firewall'.
On Thu, Jul 11, 2019 at 12:35 PM Slawek Kaplonski <skaplons@redhat.com> wrote: Hi,
AFAICT there is no many still active developers of neutron-fwaas project and I don’t know about such plans currently.
On 11 Jul 2019, at 11:23, Teckelmann, Ralf, NMU-OIP < ralf.teckelmann@bertelsmann.de> wrote:
Hello Slawek,
Thank your for your fast response. This means in regard of a Stein-Deployment with Linuxbridges no Perimeter-Firewall is offered anymore. Are there plans to remedy this deficiency in the next releases?
Cheers,
Ralf T. Von: Slawek Kaplonski <skaplons@redhat.com> Gesendet: Donnerstag, 11. Juli 2019 10:04:02 An: Teckelmann, Ralf, NMU-OIP Cc: openstack-discuss@lists.openstack.org Betreff: Re: FWaaS in Stein - NoMatches: No 'neutron.service_plugins' driver found, looking for 'firewall'
Hi,
FWaaS v1 was deprecated since some time and was removed completely in Stein release.
On 11 Jul 2019, at 09:28, Teckelmann, Ralf, NMU-OIP < ralf.teckelmann@bertelsmann.de> wrote:
Good Morning everyone,
We like to have FWaaS enabled for a Stein-based OpenStack installation. Using linuxbridges we are not able to use FWaaS_v2, because it only seems to work with ovs.
We thus tried FWaaS (v1) following https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.openstack.org_openstack-2Dansible-2Dos-5Fneutron_latest_configure-2Dnetwork-2Dservices.html-23firewall-2Dservice-2Doptional&d=DwIFaQ&c=vo2ie5TPcLdcgWuLVH4y8lsbGPqIayH3XbK3gK82Oco&r=WXex93lsaiQ-z7CeZkHv93lzt4fdCRIPXloSPQEU7CM&m=mRJxK4Dne35uMLvIxZWOXNeMxXzMcUTsQQd1yrgQ7kM&s=9KmdvZINwdij6mV-kMqE6S94CMiK4z8yO1b7cfXNhv8&e= . However, all we get from it is (1).
Are we missing a point or is FWaaS_V1 just not supported in Stein anymore? If so, this would mean for a setup Stein+Linuxbridges no FWaaS is actually available, right?
(1) grep firewall /var/log/neutron/neutron-server.log 2019-07-05 10:10:55.693 29793 ERROR neutron_lib.utils.runtime NoMatches: No'neutron.service_plugins' driver found, looking for 'firewall' 2019-07-05 10:10:55.694 29793 ERROR neutron.manager [req-394624b6-e638-45ec-be7c-ce86793fdbc4 - - - - -] Plugin 'firewall' not found. 2019-07-05 10:11:00.046 29979 INFO neutron.manager [req-e86af4f4-afae-46d7-ac5e-51585a12083b - - - - -] Loading Plugin: firewall 2019-07-05 10:11:00.046 29979 ERROR neutron_lib.utils.runtime [req-e86af4f4-afae-46d7-ac5e-51585a12083b - - - - -] Error loading class by alias: NoMatches: No 'neutron.service_plugins' driver found, looking for 'firewall'
Best regards,
Ralf T.
— Slawek Kaplonski Senior software engineer Red Hat
— Slawek Kaplonski Senior software engineer Red Hat
-- Adam Heczko Principal Security Architect @ Mirantis Inc.
— Slawek Kaplonski Senior software engineer Red Hat
-- Adam Heczko Principal Security Architect @ Mirantis Inc.