Actions
Task #6681
closedCreate a distributed firewall PoC based on uncloud/nft
Start date:
05/13/2019
Due date:
% Done:
0%
Estimated time:
PM Check date:
Description
Design¶
- uncloud needs to know about opennebula VMs
- we have an importer for this one
- uncloud needs to be able to extract mappings for
- mac <-> nic
- ip address <-> nic
- VM <-> host (?)
- uncloud needs to be able to configure nft on all hosts
- ssh keys need to be configured
Updated by Nico Schottelius over 5 years ago
- Description updated (diff)
- Status changed from New to In Progress
- testing consul kv
[17:33:14] server2.place6:~# consul kv put vm-firewall/a-vm-id/allow-one-23654-0 "2a09:2947::42/64" Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-0 [17:36:57] server2.place6:~# consul kv put vm-firewall/a-vm-id/allow-one-23654-0-ether "20:c9:d0:43:12:d9" Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-0-ether [17:38:56] server2.place6:~# consul kv get vm-firewall/a-vm-id/allow-one-23654-0-ether 20:c9:d0:43:12:d9 [17:39:03] server2.place6:~#
- consul can have watches: https://www.consul.io/docs/agent/watches.html
- could be used for updating the firewall
{ "type": "key", "key": "foo/bar/baz", "handler_type": "script", "args": ["/usr/bin/my-service-handler.sh", "-redis"] }
- nft rules / hints
- ether saddr 20:c9:d0:43:12:d9
Updated by Nico Schottelius over 5 years ago
Checking mac addresses, inside != outside:
[17:49:56] server2.place6:~# ip l | grep -i -e 02:00:f0:a9:c4:09 -e 24181 251: one-24181-0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9200 qdisc htb master br-vm-place6 state UNKNOWN mode DEFAULT group default qlen 1000 [17:50:11] server2.place6:~# ip l sh dev one-24181-0 251: one-24181-0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9200 qdisc htb master br-vm-place6 state UNKNOWN mode DEFAULT group default qlen 1000 link/ether fe:00:f0:a9:c4:09 brd ff:ff:ff:ff:ff:ff [17:50:21] server2.place6:~#
=> need mac address in database
Updated by Nico Schottelius over 5 years ago
Watching on different servers nicely works:
[17:54:10] server2.place6:~# consul kv put vm-firewall/a-vm-id/allow-one-23654-1 "2a09:2947::43/64" Success! Data written to: vm-firewall/a-vm-id/allow-one-23654-1 [17:53:17] server3.place6:~# consul watch -type=keyprefix -prefix=vm-firewall/ "/bin/echo updating firewall" updating firewall updating firewall
Updated by Nico Schottelius over 5 years ago
- Assignee changed from Nico Schottelius to ll nu
Balazs,
please read and close afterwards -- this is a duplicate ticket of ucloud-firewall.
Updated by Nico Schottelius over 5 years ago
- Status changed from Closed to Seen
Poing - if you close, please document where the solution
can be found ;-)
redmine@ungleich.ch writes:
Updated by ll nu over 5 years ago
You wrote that i should read it and close afterwards.
You mean link the duplicate issue?
https://redmine.ungleich.ch/issues/6857 - ucloud-firewall
Updated by Nico Schottelius over 4 years ago
- Status changed from Closed to In Progress
- Assignee changed from ll nu to Nico Schottelius
Reopening - as prod is now needed
Updated by Nico Schottelius over 4 years ago
- Subject changed from Create a distributed firewall PoC based on nft/consul to Create a distributed firewall PoC based on uncloud/nft
Updated by Nico Schottelius about 3 years ago
- Status changed from In Progress to Rejected
Actions