Neutron/FWaaS/HowToInstall

Installation

Checkout Test branches

Please add this line on localrc

   enable_service q-fwaas

Setup Params

  • If you used the devstack patch above, you can skip this section
  • If you did not use the devstack patch above and installed devstack from the trunk, after the installation add the following to

/etc/neutron/neutron.conf

service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin

Note: you can also add this line on localrc (before running stack.sh to get the above configuration automatically)

   Q_SERVICE_PLUGIN_CLASSES=neutron.services.firewall.fwaas_plugin.FirewallPlugin 
  • Add the following file:

/etc/neutron/fwaas_driver.ini

[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True
  • Restart the l3 agent

When you do this, you will need to provide the fwaas_driver.ini conf file as an argument as well:

cd /opt/stack/neutron && python /usr/local/bin/neutron-l3-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini --config-file /etc/neutron/fwaas_driver.ini || touch "/opt/stack/status/stack/q-agt.failure"
  • Restart the neutron server

CLI/REST Walkthrough

CLI

  • To list firewalls, firewall_policies, firewall_rules:
neutron firewall-list
neutron firewall-policy-list
neutron firewall-rule-list
  • Create firewall rule:
neutron firewall-rule-create --protocol tcp --destination-port 80 --action allow
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | allow                                |
| description            |                                      |
| destination_ip_address |                                      |
| destination_port       | 80                                   |
| enabled                | True                                 |
| firewall_policy_id     |                                      |
| id                     | 1283a548-9ca8-4a7b-a187-fc21c7fefe8e |
| ip_version             | 4                                    |
| name                   |                                      |
| position               |                                      |
| protocol               | tcp                                  |
| shared                 | False                                |
| source_ip_address      |                                      |
| source_port            |                                      |
| tenant_id              | baaaf4da44874e3f82ff93beba64117e     |
+------------------------+--------------------------------------+
  • Create firewall policy with rules:
neutron firewall-policy-create --firewall-rules "1283a548-9ca8-4a7b-a187-fc21c7fefe8e ef9fe8d1-1d79-485b-9d90-d1dd4bf228b5" test-policy
Created a new firewall_policy:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| audited        | False                                |
| description    |                                      |
| firewall_rules | 1283a548-9ca8-4a7b-a187-fc21c7fefe8e |
|                | ef9fe8d1-1d79-485b-9d90-d1dd4bf228b5 |
| id             | 257f0a59-5b16-486b-aae2-b57c60e2053f |
| name           | test-policy                          |
| shared         | False                                |
| tenant_id      | baaaf4da44874e3f82ff93beba64117e     |
+----------------+--------------------------------------+
  • Create the firewall with the policy association:
neutron firewall-create 257f0a59-5b16-486b-aae2-b57c60e2053f
Created a new firewall:
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 257f0a59-5b16-486b-aae2-b57c60e2053f |
| id                 | 28530399-d8ee-4700-9685-ee5d645f4d59 |
| name               |                                      |
| status             | PENDING_CREATE                       |
| tenant_id          | baaaf4da44874e3f82ff93beba64117e     |
+--------------------+--------------------------------------+
  • Check that the firewall is in ACTIVE state before the next operation can be performed on the firewall:
neutron firewall-show 28530399-d8ee-4700-9685-ee5d645f4d59
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 257f0a59-5b16-486b-aae2-b57c60e2053f |
| id                 | 28530399-d8ee-4700-9685-ee5d645f4d59 |
| name               |                                      |
| status             | ACTIVE                               |
| tenant_id          | baaaf4da44874e3f82ff93beba64117e     |
+--------------------+--------------------------------------+
  • Delete the firewall:
neutron firewall-delete 28530399-d8ee-4700-9685-ee5d645f4d59
Deleted firewall: 28530399-d8ee-4700-9685-ee5d645f4d59

REST calls using curl:

export q_url=http://<neutron-server-ip>:9696/v2.0

for example

   export q_url=http://127.0.0.1:9696/v2.0

and

   export auth_token=<auth_token>

where <auth_token> is the token obtained from:

   keystone token-get

or

   export auth_token=`keystone token-get | awk '/id/{print $4}' | head -n1`
  • To list firewalls, firewall_policies, firewall_rules:
   curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewalls | python -mjson.tool
   curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewall_policies | python -mjson.tool
   curl -X GET -H "X-Auth-Token: $auth_token" $q_url/fw/firewall_rules | python -mjson.tool
  • Create firewall rule:
   curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_rule": {"protocol": "tcp", "destination_port": "80", "action": "allow"}}' $q_url/fw/firewall_rules
  • Create firewall policy:
   curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_policy": {"name": "fwasspolicy"} }' $q_url/fw/firewall_policies
  • Add rule to policy (this could have been done while creating the firewall policy too):
   curl -X PUT -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall_policy": {"firewall_rules": ["1d47c609-8fd1-4aad-97fd-157887c47b4f"]}}' $q_url/fw/firewall_policies/9c50d2d0-3a85-4ed7-a20f-bef8c08233e3
  • Create the firewall with the policy association:
   curl -X POST -H "X-Auth-Token: $auth_token" -H "Content-type:application/json" -d '{"firewall": {"name": "fwasstest", "firewall_policy_id": "9c50d2d0-3a85-4ed7-a20f-bef8c08233e3"} }' $q_url/fw/firewalls
  • Delete the firewall:
   curl -X DELETE -H "X-Auth-Token: $auth_token" $q_url/fw/firewalls/9649548e-b87f-4c56-bbb7-5ee84b316da1

Horizon Interface

1. Neutron Firewall as a Service (FWaaS) Panel

2. Add new firewall policy

3. New firewall policy added

4. Firewall Rules

5. Add a new firewall rule

6. New firewall rule added

7. Insert the firewall rule into the firewall policy

8. Inserting the firewall rule in the top position

9. Firewall rule inserted into firewall policy

10. Firewalls tab

11. Adding a new firewall with earlier created firewall policy

12. Firewall created

13. Firewall details

14. Firewall Policy details

15. Firewall rule details