fwaas

openstack配置安装环境

  • ubuntun版本
    root@controller:~# lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description: Ubuntu 16.04.2 LTS
    Release: 16.04
    Codename: xenial
  • openstack newton版本
    root@controller:~# openstack –version
    openstack 3.2.0

  • 安装环境
    osx 下的vbox两台虚拟机(controller和compute)
    openstack网络节点和控制节点安装到controller机器上,计算节点安装到compute节点上

  • 组网信息
    fwaasnetwork

    配置模块

配置详情

/etc/neutron/neutron.conf
[DEFAULT]

1
service_plugins = router,firewall

[service_providers]

1
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default

注意:如果没有[service_providers]标签就在配置最后新增
[fwaas]

1
2
3
agent_version = v1
driver = iptables
enabled = True

注意:如果没有[service_providers]标签就在配置最后新增

/etc/neutron/fwaas_driver.ini
[fwaas]

1
2
driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True

/etc/neutron/l3_agent.ini
[AGENT]

1
extensions = fwaas

将配置加载到数据库中

1
neutron-db-manage --subproject neutron-fwaas upgrade head

配置完成重启neutron-server和neutron-l3-agent服务让配置生效

service neutron-server restart
service neutron-l3-agent restart

添加FW策略默认不含邮rule策略

1
2
neutron firewall-policy-create  myfwallpolicy
neutron firewall-create myfwallpolicy --name myfw

确定fw开启成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@controller:~# neutron firewall-show myfw
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 4a1e2adb-ac2c-44d2-8622-65bcc9982c05 |
| id | 47e900ef-6baf-4958-902a-77ba20f9791f |
| name | myfw |
| project_id | 2aba7c0d74a54b9a9acf1e2810ef996e |
| router_ids | 444e3a9e-1011-46fd-af5c-bcad004e236b |
| status | ACTIVE |
| tenant_id | 2aba7c0d74a54b9a9acf1e2810ef996e |
+--------------------+--------------------------------------+

说明:实验中newton版本的openstackPENDING_CREATE状态包含fw没有关联router,也是配置错误或则因为没有重启neutron-l3-agent和neutron-server 而导致的配置没有生效
哎,在这里废了很大劲。

查看fwaas iptables 策略

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
root@controller:~# ip netns
qdhcp-0dbb735a-ab82-4658-a544-1e91cc7f68db (id: 3)
qdhcp-e47041c9-008c-4c1b-8fe5-99120d8765b8 (id: 1)
qdhcp-0ad9b398-b0ac-476a-b1bc-b1f58bf8eff4 (id: 2)
qrouter-444e3a9e-1011-46fd-af5c-bcad004e236b (id: 0)
root@controller:~# ip netns exec qrouter-444e3a9e-1011-46fd-af5c-bcad004e236b iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-l3-agent-FORWARD
-N neutron-l3-agent-INPUT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-fwaas-defau
-N neutron-l3-agent-iv4ec95c473
-N neutron-l3-agent-local
-N neutron-l3-agent-ov4ec95c473
-N neutron-l3-agent-scope
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-iv4ec95c473
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-ov4ec95c473
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-fwaas-defau -j DROP
-A neutron-l3-agent-iv4ec95c473 -m state --state INVALID -j DROP
-A neutron-l3-agent-iv4ec95c473 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov4ec95c473 -m state --state INVALID -j DROP
-A neutron-l3-agent-ov4ec95c473 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-scope -o qr-4346328d-f4 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-d879832c-1e -m mark ! --mark 0x4000000/0xffff0000 -j DROP

放通两个子网跨网时候icmp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@controller:~# neutron firewall-rule-create --protocol icmp --action allow --name myrule
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | allow |
| description | |
| destination_ip_address | |
| destination_port | |
| enabled | True |
| firewall_policy_id | |
| id | 77e7d0b6-d9b3-453e-a0c1-833faae5cd48 |
| ip_version | 4 |
| name | myrule |
| position | |
| project_id | 2aba7c0d74a54b9a9acf1e2810ef996e |
| protocol | icmp |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | 2aba7c0d74a54b9a9acf1e2810ef996e |
+------------------------+--------------------------------------+
root@controller:~# neutron firewall-policy-insert-rule myfwallpolicy myrule
Inserted firewall rule in firewall policy myfwallpolicy

查看放通icmp后策略

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@controller:~# ip netns exec qrouter-444e3a9e-1011-46fd-af5c-bcad004e236b iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N neutron-filter-top
-N neutron-l3-agent-FORWARD
-N neutron-l3-agent-INPUT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-fwaas-defau
-N neutron-l3-agent-iv4ec95c473
-N neutron-l3-agent-local
-N neutron-l3-agent-ov4ec95c473
-N neutron-l3-agent-scope
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-FORWARD -j neutron-l3-agent-scope
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-iv4ec95c473
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-ov4ec95c473
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
-A neutron-l3-agent-fwaas-defau -j DROP
-A neutron-l3-agent-iv4ec95c473 -m state --state INVALID -j DROP
-A neutron-l3-agent-iv4ec95c473 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-iv4ec95c473 -p icmp -j ACCEPT
-A neutron-l3-agent-ov4ec95c473 -m state --state INVALID -j DROP
-A neutron-l3-agent-ov4ec95c473 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-ov4ec95c473 -p icmp -j ACCEPT
-A neutron-l3-agent-scope -o qr-4346328d-f4 -m mark ! --mark 0x4000000/0xffff0000 -j DROP
-A neutron-l3-agent-scope -o qr-d879832c-1e -m mark ! --mark 0x4000000/0xffff0000 -j DROP
1
2
3
4
5
-A FORWARD -j neutron-l3-agent-FORWARD
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-iv4ec95c473
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-ov4ec95c473
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-fwaas-defau
-A neutron-l3-agent-FORWARD -i qr-+ -j neutron-l3-agent-fwaas-defau

router namespace转发表处理交给neutron-l3-agent-FORWARD表处理
具体策略为:
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-iv4ec95c473
-A neutron-l3-agent-FORWARD -o qr-+ -j neutron-l3-agent-fwaas-defau
FORWARD最终交给neutron-l3-agent-iv4ec95c473和neutron-l3-agent-fwaas-defau处理
-A neutron-l3-agent-iv4ec95c473 -m state –state INVALID -j DROP
-A neutron-l3-agent-iv4ec95c473 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A neutron-l3-agent-fwaas-defau -j DROP

默认情况下所由经过router qr接口数据包进行转发的全部丢弃

放通规则后新增规则分析

1
2
-A neutron-l3-agent-iv4ec95c473 -p icmp -j ACCEPT
-A neutron-l3-agent-ov4ec95c473 -p icmp -j ACCEPT

新增icmp放通策略,此时候跨越router ping流量可放通了

开启fw情况下如何使得vm上网

  • 开通dns限制
    neutron firewall-rule-create –protocol udp –destination-port 53 –action allow –name dns
  • 开通tcp协议限制
    neutron firewall-rule-create –protocol tcp –action allow –name myrul

如果在未开启fw前可以上外网,开fw后不能上外网后,经过上述策略放通就可以实现vm上外网需求

查看所有策略

查看rule
neutron firewall-rule-list
查看pllicy
neutron firewall-policy-list
查看fw墙
neutron firewall-list

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@controller:~# neutron firewall-rule-list

+------------------------------------+--------+------------------------------------+----------------------+---------+
| id | name | firewall_policy_id | summary | enabled |
+------------------------------------+--------+------------------------------------+----------------------+---------+
| 69912a17-e462-40ce-b30e- | myrule | 7f3539bb-145c- | ICMP, | True |
| b547f0673dbd | | 4f59-b374-83abbb9729b0 | source: none(none), | |
| | | | dest: none(none), | |
| | | | allow | |
+------------------------------------+--------+------------------------------------+----------------------+---------+
root@controller:~# neutron firewall-policy-list
+--------------------------------------+---------------+----------------------------------------+
| id | name | firewall_rules |
+--------------------------------------+---------------+----------------------------------------+
| 7f3539bb-145c-4f59-b374-83abbb9729b0 | myfwallpolicy | [69912a17-e462-40ce-b30e-b547f0673dbd] |
+--------------------------------------+---------------+----------------------------------------+
root@controller:~# neutron firewall-list
+--------------------------------------+------+--------------------------------------+
| id | name | firewall_policy_id |
+--------------------------------------+------+--------------------------------------+
| 532f3f7a-376d-485a-a8db-2e3598fc9b86 | myfw | 7f3539bb-145c-4f59-b374-83abbb9729b0 |
+--------------------------------------+------+--------------------------------------+