Ocata Series Release Notes¶
The FWaaS team is pleased to release FWaaS v2.0. This release of FWaaS supports either the original FWaaS v1 or the new FWaaS v2.
- In FWaaS v2 firewall policies are applied to router ports, as opposed to applying to routers in FWaaS v1.
- Earlier the FWaaS agent integrated with the L3 agent by having the L3 Agent class inherit from the FWaaS Agent class. This meant that other service agents could not also integrate with the L3 agent. Now, using the L3 agent extensions mechanism, FWaaS (v1 and v2) plugs in to the L3 agent. This means that it can interoperate peacefully with other L3 advanced services that also implement the L3 agent extension mechanism, all without any code changes to Neutron.
- There is not currently a defined upgrade path from FWaaS v1 to FWaaS v2.
- FWaaS v1 can not be enabled at the same time as FWaaS v2; one or the other must be chosen.
The Cisco Firewall Driver is being moved from the FWaaS repo to the Cisco specific repo: https://github.com/openstack/networking-cisco
- The vArmour Firewall Driver is being removed from the FwaaS repo, as per decision to remove vendor drivers from the community repo.
- The vyatta Firewall Driver is being removed from the FwaaS repo,
- as per decision to remove vendor drivers from the community repo.
- The Cisco FWaaS driver will not be available from the neutron-fwaas repo in Newton. For the Cisco FWaaS driver, refer to the openstack/networking-cisco repo.
- The vArmour Firewall Driver will not be available for use in the Newton release.
- The vyatta Firewall Driver will not be available for use in the Newton release from the community repo.
- The McAfee Firewall Driver is being removed from the FwaaS repo, due to lack of active maintainers.
- The McAfee Firewall Driver will not be available for use in the Newton release.
Generation of sample Neutron FWaaS configuration files.
Enable quotas for FWaaS.
- Neutron FWaaS no longer includes static example configuration files. Instead, use tools/generate_config_file_samples.sh to generate them. The files are generated with a .sample extension.
- The FWaaS extension will register quotas. The default values for quota_firewall and quota_firewall_policy are set to 10. The default value for quota_firewall_rule is set to 100. Quotas can be adjusted in the conf files, including -1 values to allow unlimited.
- Tenants may receive a 409 Conflict error with a message body containing a quota exceeded message during resource creation if their quota is exceeded.
- Operators that increase the default limit for quota_routers from 10 may want to bump FWaaS quotas as well, since with router insertion a tenant can potentially have a unique policy and firewall for each router.