Actions
Task #6681
closed
NS
NS
Create a distributed firewall PoC based on uncloud/nft
Task #6681:
Create a distributed firewall PoC based on uncloud/nft
Start date:
05/13/2019
Due date:
% Done:
0%
Estimated time:
PM Check date:
Description
Design¶
- uncloud needs to know about opennebula VMs
- we have an importer for this one
- uncloud needs to be able to extract mappings for
- mac <-> nic
- ip address <-> nic
- VM <-> host (?)
- uncloud needs to be able to configure nft on all hosts
- ssh keys need to be configured
NS Updated by Nico Schottelius almost 7 years ago
- Description updated (diff)
- Status changed from New to In Progress
- testing consul kv
[17:33:14] server2.place6:~# consul kv put vm-firewall/a-vm-id/allow-one-23654-0 "2a09:2947::42/64" Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-0 [17:36:57] server2.place6:~# consul kv put vm-firewall/a-vm-id/allow-one-23654-0-ether "20:c9:d0:43:12:d9" Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-0-ether [17:38:56] server2.place6:~# consul kv get vm-firewall/a-vm-id/allow-one-23654-0-ether 20:c9:d0:43:12:d9 [17:39:03] server2.place6:~#
- consul can have watches: https://www.consul.io/docs/agent/watches.html
- could be used for updating the firewall
{
"type": "key",
"key": "foo/bar/baz",
"handler_type": "script",
"args": ["/usr/bin/my-service-handler.sh", "-redis"]
}
- nft rules / hints
- ether saddr 20:c9:d0:43:12:d9
NS Updated by Nico Schottelius almost 7 years ago
Checking mac addresses, inside != outside:
[17:49:56] server2.place6:~# ip l | grep -i -e 02:00:f0:a9:c4:09 -e 24181
251: one-24181-0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9200 qdisc htb master br-vm-place6 state UNKNOWN mode DEFAULT group default qlen 1000
[17:50:11] server2.place6:~# ip l sh dev one-24181-0
251: one-24181-0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9200 qdisc htb master br-vm-place6 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:00:f0:a9:c4:09 brd ff:ff:ff:ff:ff:ff
[17:50:21] server2.place6:~#
=> need mac address in database
NS Updated by Nico Schottelius almost 7 years ago
Watching on different servers nicely works:
[17:54:10] server2.place6:~# consul kv put vm-firewall/a-vm-id/allow-one-23654-1 "2a09:2947::43/64" Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-1 [17:53:17] server3.place6:~# consul watch -type=keyprefix -prefix=vm-firewall/ "/bin/echo updating firewall" updating firewall updating firewall
NS Updated by Nico Schottelius almost 7 years ago
- Description updated (diff)
NS Updated by Nico Schottelius almost 7 years ago
- Description updated (diff)
NS Updated by Nico Schottelius almost 7 years ago
- Description updated (diff)
NS Updated by Nico Schottelius almost 7 years ago
- Description updated (diff)
NS Updated by Nico Schottelius over 6 years ago
- Assignee changed from Nico Schottelius to ll nu
Balazs,
please read and close afterwards -- this is a duplicate ticket of ucloud-firewall.
LN Updated by ll nu over 6 years ago
- Status changed from In Progress to Closed
NS Updated by Nico Schottelius over 6 years ago
- Status changed from Closed to Seen
Poing - if you close, please document where the solution
can be found ;-)
redmine@ungleich.ch writes:
LN Updated by ll nu over 6 years ago
You wrote that i should read it and close afterwards.
You mean link the duplicate issue?
https://redmine.ungleich.ch/issues/6857 - ucloud-firewall
LN Updated by ll nu over 6 years ago
- Status changed from Seen to Closed
NS Updated by Nico Schottelius almost 6 years ago
- Status changed from Closed to In Progress
- Assignee changed from ll nu to Nico Schottelius
Reopening - as prod is now needed
NS Updated by Nico Schottelius almost 6 years ago
- Subject changed from Create a distributed firewall PoC based on nft/consul to Create a distributed firewall PoC based on uncloud/nft
NS Updated by Nico Schottelius almost 6 years ago
- Description updated (diff)
NS Updated by Nico Schottelius about 4 years ago
- Status changed from In Progress to Rejected
Actions