+1 -----Original Message----- From: Sudha Ponnaganti [mailto:sudha.ponnaga...@citrix.com] Sent: Thursday, January 17, 2013 12:59 AM To: cloudstack-dev@incubator.apache.org Subject: RE: [VOTE] Accept a donation of SRX&F5 inline mode support in CloudStack from Citrix
+1 -----Original Message----- From: Animesh Chaturvedi [mailto:animesh.chaturv...@citrix.com] Sent: Wednesday, January 16, 2013 10:53 AM To: cloudstack-dev@incubator.apache.org Subject: [VOTE] Accept a donation of SRX&F5 inline mode support in CloudStack from Citrix Reposting with subject line VOTE Committers have binding votes for this decision. Please respond with your vote: +1 - Accept the donation and begin the process of bringing this +enhancement to CloudStack in via the IP clearance process +0 - Don't care -1 - Do not accept the donation This vote will remain open for ~72 hours. > -----Original Message----- > From: Sheng Yang [mailto:sh...@yasker.org] > Sent: Tuesday, January 15, 2013 5:54 PM > To: cloudstack-dev@incubator.apache.org > Subject: [IP Clearance] CLOUDSTACK-306 SRX&F5 inline mode > > Hi, > > I'd like to start the process of IP Clearance for CLOUDSTACK-306: > SRX&F5 inline mode support. > > Citrix would like to donate this code to Apache Cloudstack. > > This feature extended the support for external network devices for Cloudstack. > > In the Cloudstack 4.0 release, it's only able to work with SRX and F5 > in side-by- side mode, which means all the traffic going through F5 > load balancer would bypass SRX firewall, and F5 would facing the > public network directly. Cloudstack > 4.0 still have some obsolete codes to deal with inline mode back to > 2.2.x era, but they're not functional after NaaS work in 3.0 release. > > After reintroducing this feature, SRX is able to working as the > firewall for the whole guest network(isolated network), including F5. > Every load balancing traffic must go through SRX, in order to reach F5. > > In order to support inline mode, in the first patch, I had > re-implemented the firewall part SRX to make it able to filter based > on public ip we're using to identify the traffic, using firewall filter of > SRX. > > In the second patch, I've investigated the possibility of using one F5 > instance in site-by-site mode and inline-mode at the same time, and > found it doable. So I make "inline" a parameter for network offering, not an > option for device(e.g. > F5). > > And I have reimplemented the inline mode feature in the third patch. > > The whole patchset mostly deal with external devices related filres, e.g. > JuniperSrxResource.java, ExternalFirewallDeviceManagerImpl.java, > F5BigIpResource.java, ExternalLoadBalancerDeviceManagerImpl.java. > There are also some refactor works regarding NetworkManagerImpl.java. > > The patchset is at: > http://people.apache.org/~yasker/ > > Since there are three patches, I've checksumed and signed the tar ball. > > The related Jira ticket at: > https://issues.apache.org/jira/browse/CLOUDSTACK-306 > > The function spec is at: > https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional- > spec.html > > The previous discussion happened on: > http://markmail.org/message/jnpl5b7b6cqqmrui > > There is no objection on this feature at the time of discussion. > > Thank you! > > --Sheng
