[openstack-dev] [neutron][fwaas]some architectural advice on fwaas driver writing
Oguz Yarimtepe
oguzyarimtepe at gmail.com
Mon Dec 28 07:57:42 UTC 2015
After seeing that vYatta requires a driver plugged in to the interface,
i gave up debugging it.
Now i am trying vArmour driver. Looks simpler. Many things are clearer
except from that they have their own L3 agent. It sees it should be
enabling API calls when a new router is added, removed or updated. I
tried with a Liberty devstack environment but couldn't managed to fall
to debug into line
https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L294
I tried adding a router and removing it. Each time when the code
execution comes to the line
https://github.com/openstack/neutron-fwaas/blob/stable/liberty/neutron_fwaas/services/firewall/agents/varmour/varmour_router.py#L278
the global agent code is executed and i couldn't find when the snat or
floating ip functions are called.
Any idea?
I am also looking for the vArmour firewall software to test, but seems
even for trial version it is not possible, since i applied from their
site for a demo version, i couldn't get any return yet.
On 11/23/2015 08:25 AM, Germy Lure wrote:
> Hi,
> Under current FWaaS architecture or framework, only integrating
> hardware firewall is not easy. That requires neutron support service
> level multiple vendors. In another word, vendors must fit each other
> for their services while currently vendors just provides all services
> through controller.
>
> I think the root cause is Neutron just doesn't known how the network
> devices connect each other. Neutron provides FW, LB, VPN and other
> advanced network functionalists as services. But as the implementation
> layer, Neutron needs TOPO info to make right decision, routing traffic
> to the right device. For example, from namespace router to hardware
> firewall, Neutron should add some internal routes even extra L3
> interfaces according to the connection relationship between them. If
> the firewall service is integrated with router, like Vyatta, it's
> simple. The only thing you need to do is just enable the firewall itself.
More information about the OpenStack-dev
mailing list