Add ability to configure Neutron FWaaS

This patch implements the necessary configuration in order to implement Neutron FWaaS. Re-Implementation-Of: https://review.openstack.org/#/c/275894/9 Change-Id: Ic046cc9815f7b9c86a52fd75e7c796ecacc9e083 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2016-02-02 12:09:18 -06:00 · 2016-02-02 12:09:18 -06:00 · 06d888b5a0
commit 06d888b5a0
parent 91038031e8
3 changed files with 26 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -218,6 +218,10 @@ neutron_l3: "{% if 'router' in neutron_plugin_base or 'neutron.services.l3_route
 #TODO(odyssey4me): Remove the class path from this conditional in the Newton cycle
 neutron_metering: "{% if 'metering' in neutron_plugin_base or 'neutron.services.metering.metering_plugin.MeteringPlugin' in neutron_plugin_base %}True{% else %}False{% endif %}"

+## Neutron FWaaS
+# Please add the 'firewall' to the neutron_plugin_base list
+neutron_fwaas: "{% if 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}"
+
 ## Drivers
 neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.WeightScheduler
 neutron_driver_router_scheduler: neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler
@ -390,6 +394,7 @@ neutron_pip_packages:
  - keystonemiddleware
  - PyMySQL
  - neutron
+  - neutron_fwaas
  - neutron_lbaas
  - pycrypto
  - python-glanceclient
--- a/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml
+++ b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml
@ -0,0 +1,15 @@
+---
+features:
+  - Neutron Firewall as a Service (FWaaS) can now optionally be deployed and
+    configured. Please see the `FWaaS Configuration Reference
+    <http://docs.openstack.org/admin-guide-cloud/networking_introduction.html#firewall-as-a-service-fwaas-overview>`_
+    for details about the what the service is and what it provides. See the
+    `FWaaS Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-fwaas.html>`_
+    for implementation details.
+upgrade:
+  - Database migration tasks have been added for the FWaaS neutron plugin.
+security:
+  - When enabled, Neutron Firewall as a Service (FWaaS) provides projects the
+    option to implement perimeter security (filtering at the router), adding to
+    filtering at the instance interfaces which is provided by 'Security
+    Groups'.
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@ -166,6 +166,12 @@ service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_d

 {% endif %}

+{% if neutron_fwaas | bool and neutron_plugin_type != 'plumgrid' %}
+[fwaas]
+enabled = true
+driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
+{% endif %}
+
 # Agent
 [agent]
 polling_interval = {{ neutron_agent_polling_interval|default(5) }}