Project

General

Profile

Actions

Task #6681

closed

Create a distributed firewall PoC based on uncloud/nft

Added by Nico Schottelius over 5 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Target version:
-
Start date:
05/13/2019
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

Design

  • uncloud needs to know about opennebula VMs
    • we have an importer for this one
  • uncloud needs to be able to extract mappings for
    • mac <-> nic
    • ip address <-> nic
    • VM <-> host (?)
  • uncloud needs to be able to configure nft on all hosts
    • ssh keys need to be configured
Actions #1

Updated by Nico Schottelius over 5 years ago

  • Description updated (diff)
  • Status changed from New to In Progress
  • testing consul kv
[17:33:14] server2.place6:~# consul  kv put vm-firewall/a-vm-id/allow-one-23654-0 "2a09:2947::42/64" 
Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-0
[17:36:57] server2.place6:~# consul  kv put vm-firewall/a-vm-id/allow-one-23654-0-ether "20:c9:d0:43:12:d9" 
Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-0-ether
[17:38:56] server2.place6:~# consul kv get vm-firewall/a-vm-id/allow-one-23654-0-ether
20:c9:d0:43:12:d9
[17:39:03] server2.place6:~# 

{
  "type": "key",
  "key": "foo/bar/baz",
  "handler_type": "script",
  "args": ["/usr/bin/my-service-handler.sh", "-redis"]
}
  • nft rules / hints
    • ether saddr 20:c9:d0:43:12:d9
Actions #2

Updated by Nico Schottelius over 5 years ago

Checking mac addresses, inside != outside:


[17:49:56] server2.place6:~# ip l | grep -i -e 02:00:f0:a9:c4:09 -e 24181
251: one-24181-0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9200 qdisc htb master br-vm-place6 state UNKNOWN mode DEFAULT group default qlen 1000
[17:50:11] server2.place6:~# ip l sh dev one-24181-0
251: one-24181-0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9200 qdisc htb master br-vm-place6 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether fe:00:f0:a9:c4:09 brd ff:ff:ff:ff:ff:ff
[17:50:21] server2.place6:~# 

=> need mac address in database

Actions #3

Updated by Nico Schottelius over 5 years ago

Watching on different servers nicely works:

[17:54:10] server2.place6:~# consul  kv put vm-firewall/a-vm-id/allow-one-23654-1 "2a09:2947::43/64" 
Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-1
[17:53:17] server3.place6:~# consul watch -type=keyprefix -prefix=vm-firewall/ "/bin/echo updating firewall" 
updating firewall
updating firewall
Actions #4

Updated by Nico Schottelius over 5 years ago

  • Description updated (diff)
Actions #5

Updated by Nico Schottelius over 5 years ago

  • Description updated (diff)
Actions #6

Updated by Nico Schottelius over 5 years ago

  • Description updated (diff)
Actions #7

Updated by Nico Schottelius over 5 years ago

  • Description updated (diff)
Actions #8

Updated by Nico Schottelius over 5 years ago

  • Assignee changed from Nico Schottelius to ll nu

Balazs,

please read and close afterwards -- this is a duplicate ticket of ucloud-firewall.

Actions #9

Updated by ll nu over 5 years ago

  • Status changed from In Progress to Closed
Actions #10

Updated by Nico Schottelius over 5 years ago

  • Status changed from Closed to Seen

Poing - if you close, please document where the solution
can be found ;-)

writes:

Actions #11

Updated by ll nu over 5 years ago

You wrote that i should read it and close afterwards.

You mean link the duplicate issue?
https://redmine.ungleich.ch/issues/6857 - ucloud-firewall

Actions #12

Updated by ll nu over 5 years ago

  • Status changed from Seen to Closed
Actions #13

Updated by Nico Schottelius over 4 years ago

  • Status changed from Closed to In Progress
  • Assignee changed from ll nu to Nico Schottelius

Reopening - as prod is now needed

Actions #14

Updated by Nico Schottelius over 4 years ago

  • Subject changed from Create a distributed firewall PoC based on nft/consul to Create a distributed firewall PoC based on uncloud/nft
Actions #15

Updated by Nico Schottelius over 4 years ago

  • Description updated (diff)
Actions #16

Updated by Nico Schottelius about 3 years ago

  • Status changed from In Progress to Rejected
Actions

Also available in: Atom PDF