Introduce the Brocade Vyatta Firewall device driver to provide FWaaS solution using Vyatta vRouter VM running as a Neutron router. The driver implements ‘Perimeter Firewall’ functionality to filter traffic between tenant private networks and external networks.
Brocade Vyatta vRouter is a multi-service product that provides various L3 and L4 services like Routing, NAT, Firewall, VPN, etc. While basic neutron router L3 functions are available using Brocade Vyatta L3 plugin  vRouter’s Firewall functionality is currently not configurable through existing Neutron FWaaS APIs.
This blueprint proposes a new vendor device-driver for Neutron FWaaS agent. There is no change proposed in the FWaaS service plugin side as existing reference FWaaS plugin is sufficient.
>> +----------------------+ >> | Vyatta L3 NAT | >> | Agent | >> | | >> | +------------------+ | >> | | FWaaS Agent | | >> RPC to FWaaS | +------------------+ | >> service plugin | | Vyatta FWaaS | | >> | | Device Driver | | >> <---------------+ | | | >> +-+--------+---------+-+ >> | >> | >> | REST API >> | >> +--------v---------+ >> | | >> | | >> | Vyatta vRouter | >> | | >> | | >> | | >> | | >> +------------------+
Vyatta L3 NAT agent uses Neutron L3 NAT agent to associate the firewall to the router interfaces.
Vyatta FWaaS device driver will invoke the Vyatta vRouter REST APIs for the below CRUD APIs as and when determined by the FWaaS agent
All these functions are similar to the existing reference FWaaS device-driver implementation. Due to limitations of the existing neutron firewall plugin, firewall rules will get applied to all the tenant routers. Also this effort will be aligned with the community direction of the firewall insertion mode on a single router spec.
Note, we are aware of the current L3 agent refactoring proposed for Kilo . Given the device driver interface is planned to be kept as-is the changes proposed in this blueprint will integrate with minimal impact vis-a-vis the refactoring.
This effort is part of a wider set of blueprints to offer Neutron L3 and L4 services using Vyatta vRouter VM:
The device driver will use a common RESTapi client library that uses basic-auth authentication to connect to Vyatta vRouter.
When a tenant creates a Firewall using Neutron API it will be created on the carrier-grade Vyatta vRouter.
Operators should first configure Brocade Vyatta L3 plugin as described in . Neutron firewall plugin, Vyatta L3 agent and the firewall driver should be configured. Once configured, Vyatta FWaaS driver will be invoked for the Firewall CRUD operations on the tenant Router.
Validating Neutron FWaaS APIs with multiple vendor, including this one from Brocade, will help to move out of current experimental state for these APIs.
Scenario tests will be added to validate the Vyatta FWaaS implementation.
No new API tests are planned as no APIs are changed as part of this blueprint.
Brocade specific documentation will be updated on the availability of this functionality in Neutron and the fwaas_device_driver configuration required to enable it.