cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From radh...@apache.org
Subject git commit: updated refs/heads/master to 80cfc81
Date Fri, 02 Aug 2013 11:29:18 GMT
Updated Branches:
  refs/heads/master 97da9e70f -> 80cfc81bc


https://issues.apache.org/jira/browse/CLOUDSTACK-2685


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/80cfc81b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/80cfc81b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/80cfc81b

Branch: refs/heads/master
Commit: 80cfc81bc90e63fadb45026a27b6b7ba0e143d41
Parents: 97da9e7
Author: radhikap <radhika.puthiyetath@citrix.com>
Authored: Fri Aug 2 16:58:20 2013 +0530
Committer: radhikap <radhika.puthiyetath@citrix.com>
Committed: Fri Aug 2 16:58:50 2013 +0530

----------------------------------------------------------------------
 docs/en-US/creating-network-offerings.xml |  15 ++-
 docs/en-US/egress-firewall-rule.xml       | 168 +++++++++++++++++--------
 docs/en-US/ip-forwarding-firewalling.xml  |   9 +-
 docs/en-US/vnmc-cisco.xml                 |  10 +-
 4 files changed, 137 insertions(+), 65 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/80cfc81b/docs/en-US/creating-network-offerings.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/creating-network-offerings.xml b/docs/en-US/creating-network-offerings.xml
index 6e25b27..4f75781 100644
--- a/docs/en-US/creating-network-offerings.xml
+++ b/docs/en-US/creating-network-offerings.xml
@@ -241,7 +241,7 @@
           <para>For information on Elastic IP, see <xref linkend="elastic-ip"/>.</para>
         </listitem>
         <listitem>
-          <para><emphasis role="bold">Redundant router capability</emphasis>.
Available only when
+          <para><emphasis role="bold">Redundant router capability</emphasis>:
Available only when
             Virtual Router is selected as the Source NAT provider. Select this option if
you want to
             use two virtual routers in the network for uninterrupted connection: one operating
as
             the master virtual router and the other as the backup. The master virtual router
@@ -251,7 +251,7 @@
             reliability if one host is down.</para>
         </listitem>
         <listitem>
-          <para><emphasis role="bold">Conserve mode</emphasis>. Indicate
whether to use conserve
+          <para><emphasis role="bold">Conserve mode</emphasis>: Indicate
whether to use conserve
             mode. In this mode, network resources are allocated only when the first virtual
machine
             starts in the network. When conservative mode is off, the public IP can only
be used for
             a single service. For example, a public IP used for a port forwarding rule cannot
be
@@ -264,9 +264,18 @@
           </note>
         </listitem>
         <listitem>
-          <para><emphasis role="bold">Tags</emphasis>. Network tag to specify
which physical network
+          <para><emphasis role="bold">Tags</emphasis>: Network tag to specify
which physical network
             to use.</para>
         </listitem>
+        <listitem>
+          <para><emphasis role="bold">Default egress policy</emphasis>:
Configure the default policy
+            for firewall egress rules. Options are Allow and Deny. Default is Allow if no
egress
+            policy is specified, which indicates that all the egress traffic is accepted
when a
+            guest network is created from this offering. </para>
+          <para>To block the egress traffic for a guest network, select Deny. In this
case, when you
+            configure an egress rules for an isolated guest network, rules are added to allow
the
+            specified traffic.</para>
+        </listitem>
       </itemizedlist>
     </listitem>
     <listitem>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/80cfc81b/docs/en-US/egress-firewall-rule.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/egress-firewall-rule.xml b/docs/en-US/egress-firewall-rule.xml
index 9b45e2e..148b6d6 100644
--- a/docs/en-US/egress-firewall-rule.xml
+++ b/docs/en-US/egress-firewall-rule.xml
@@ -19,7 +19,7 @@
   under the License.
 -->
 <section id="egress-firewall-rule">
-  <title>Creating Egress Firewall Rules in an Advanced Zone</title>
+  <title>Egress Firewall Rules in an Advanced Zone</title>
   <para>The egress traffic originates from a private network to a public network, such
as the
     Internet. By default, the egress traffic is blocked, so no outgoing traffic is allowed
from a
     guest network to the Internet. However, you can control the egress traffic in an Advanced
zone
@@ -27,7 +27,7 @@
     to the rule is allowed and the remaining traffic is blocked. When all the firewall rules
are
     removed the default policy, Block, is applied.</para>
   <para>Egress firewall rules are supported on Juniper SRX and virtual router.</para>
-    <note>
+  <note>
     <para>The egress firewall rules are not supported on shared networks.</para>
   </note>
   <para>Consider the following scenarios to apply egress firewall rules:</para>
@@ -44,55 +44,117 @@
         specified for TCP, UDP or for ICMP type and code.</para>
     </listitem>
   </itemizedlist>
-  <para>To configure an egress firewall rule:</para>
-  <orderedlist>
-    <listitem>
-      <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
-    </listitem>
-    <listitem>
-      <para>In the left navigation, choose Network.</para>
-    </listitem>
-    <listitem>
-      <para>In Select view, choose Guest networks, then click the Guest network you
want.</para>
-    </listitem>
-    <listitem>
-      <para>To add an egress rule, click the Egress rules tab and fill out the following
fields to
-        specify what type of traffic is allowed to be sent out of VM instances in this guest
-        network:</para>
-      <mediaobject>
-        <imageobject>
-          <imagedata fileref="./images/egress-firewall-rule.png"/>
-        </imageobject>
-        <textobject>
-          <phrase>egress-firewall-rule.png: adding an egress firewall rule</phrase>
-        </textobject>
-      </mediaobject>
-      <itemizedlist>
-        <listitem>
-          <para><emphasis role="bold">CIDR</emphasis>: (Add by CIDR only)
To send traffic only to
-            the IP addresses within a particular address block, enter a CIDR or a comma-separated
-            list of CIDRs. The CIDR is the base IP address of the destination. For example,
-            192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
-        </listitem>
-        <listitem>
-          <para><emphasis role="bold">Protocol</emphasis>: The networking
protocol that VMs uses to
-            send outgoing traffic. The TCP and UDP protocols are typically used for data
exchange
-            and end-user communications. The ICMP protocol is typically used to send error
messages
-            or network monitoring data.</para>
-        </listitem>
-        <listitem>
-          <para><emphasis role="bold">Start Port, End Port</emphasis>:
(TCP, UDP only) A range of
-            listening ports that are the destination for the outgoing traffic. If you are
opening a
-            single port, use the same number in both fields.</para>
-        </listitem>
-        <listitem>
-          <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>:
(ICMP only) The type of
-            message and error code that are sent.</para>
-        </listitem>
-      </itemizedlist>
-    </listitem>
-    <listitem>
-      <para>Click Add.</para>
-    </listitem>
-  </orderedlist>
+  <section>
+    <title>Configuring an Egress Firewall Rule</title>
+    <orderedlist>
+      <listitem>
+        <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
+      </listitem>
+      <listitem>
+        <para>In the left navigation, choose Network.</para>
+      </listitem>
+      <listitem>
+        <para>In Select view, choose Guest networks, then click the Guest network you
want.</para>
+      </listitem>
+      <listitem>
+        <para>To add an egress rule, click the Egress rules tab and fill out the following
fields to
+          specify what type of traffic is allowed to be sent out of VM instances in this
guest
+          network:</para>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="./images/egress-firewall-rule.png"/>
+          </imageobject>
+          <textobject>
+            <phrase>egress-firewall-rule.png: adding an egress firewall rule</phrase>
+          </textobject>
+        </mediaobject>
+        <itemizedlist>
+          <listitem>
+            <para><emphasis role="bold">CIDR</emphasis>: (Add by CIDR only)
To send traffic only to
+              the IP addresses within a particular address block, enter a CIDR or a comma-separated
+              list of CIDRs. The CIDR is the base IP address of the destination. For example,
+              192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
+          </listitem>
+          <listitem>
+            <para><emphasis role="bold">Protocol</emphasis>: The networking
protocol that VMs uses
+              to send outgoing traffic. The TCP and UDP protocols are typically used for
data
+              exchange and end-user communications. The ICMP protocol is typically used to
send
+              error messages or network monitoring data.</para>
+          </listitem>
+          <listitem>
+            <para><emphasis role="bold">Start Port, End Port</emphasis>:
(TCP, UDP only) A range of
+              listening ports that are the destination for the outgoing traffic. If you are
opening
+              a single port, use the same number in both fields.</para>
+          </listitem>
+          <listitem>
+            <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>:
(ICMP only) The type of
+              message and error code that are sent.</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>Click Add.</para>
+      </listitem>
+    </orderedlist>
+  </section>
+  <section id="default-egress-policy">
+    <title>Changing the Default Egress Policy</title>
+    <para>You can configure the default policy of egress firewall rules in Isolated
Advanced
+      networks. Use the create network offering option to determine whether the default policy
+      should be block or allow all the traffic to the public network from a guest network.
If no
+      policy is specified, by default all the traffic is allowed from the guest network that
you
+      create by using this network offering.</para>
+    <para>You have two options: Allow and Deny.</para>
+    <formalpara>
+      <title>Allow</title>
+      <para>If you select Allow for a network offering, by default egress traffic is
allowed.
+        However, when an egress rule is configured for a guest network, rules are applied
to block
+        the specified traffic and rest are allowed. If no egress rules are configured for
the
+        network, egress traffic is accepted.</para>
+    </formalpara>
+    <formalpara>
+      <title>Deny</title>
+      <para>If you select Deny for a network offering, by default egress traffic for
the guest
+        network is blocked. However, when an egress rules is configured for a guest network,
rules
+        are applied to allow the specified traffic. While implementing a guest network, &PRODUCT;
+        adds the firewall egress rule specific to the default egress policy for the guest
+        network.</para>
+    </formalpara>
+    <para>This feature is supported only on virtual router and Juniper SRX.</para>
+    <orderedlist>
+      <listitem>
+        <para>Create a network offering with your desirable default egress policy:</para>
+        <orderedlist numeration="loweralpha">
+          <listitem>
+            <para>Log in with admin privileges to the &PRODUCT; UI.</para>
+          </listitem>
+          <listitem>
+            <para>In the left navigation bar, click Service Offerings.</para>
+          </listitem>
+          <listitem>
+            <para>In Select Offering, choose Network Offering.</para>
+          </listitem>
+          <listitem>
+            <para>Click Add Network Offering.</para>
+          </listitem>
+          <listitem>
+            <para>In the dialog, make necessary choices, including firewall provider.</para>
+          </listitem>
+          <listitem>
+            <para>In the Default egress policy field, specify the behaviour.</para>
+          </listitem>
+          <listitem>
+            <para>Click OK.</para>
+          </listitem>
+        </orderedlist>
+      </listitem>
+      <listitem>
+        <para>Create an isolated network by using this network offering.</para>
+        <para>Based on your selection, the network will have the egress public traffic
blocked or
+          allowed.</para>
+      </listitem>
+    </orderedlist>
+    <para>On upgrade existing network offerings with firewall service providers will
have the
+      default egress policy DENY.</para>
+  </section>
 </section>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/80cfc81b/docs/en-US/ip-forwarding-firewalling.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/ip-forwarding-firewalling.xml b/docs/en-US/ip-forwarding-firewalling.xml
index d7a2457..d1beb2e 100644
--- a/docs/en-US/ip-forwarding-firewalling.xml
+++ b/docs/en-US/ip-forwarding-firewalling.xml
@@ -20,15 +20,16 @@
 -->
 <section id="ip-forwarding-firewalling">
   <title>IP Forwarding and Firewalling</title>
-  <para>By default, all incoming traffic to the public IP address is rejected.
-    All outgoing traffic from the guests is also blocked by default.</para>
-  <para>To allow outgoing traffic, follow the procedure in <xref linkend="egress-firewall-rule"/>.</para>
+  <para>By default, all incoming traffic to the public IP address is rejected. All
outgoing traffic
+    from the guests is also blocked by default.</para>
+  <para>To allow outgoing traffic, follow the procedure in <xref linkend="egress-firewall-rule"
+    />.</para>
   <para>To allow incoming traffic, users may set up firewall rules and/or port forwarding
rules. For
     example, you can use a firewall rule to open a range of ports on the public IP address,
such as
     33 through 44. Then use port forwarding rules to direct traffic from individual ports
within
     that range to specific ports on user VMs. For example, one port forwarding rule could
route
     incoming traffic on the public IP's port 33 to port 100 on one user VM's private IP.</para>
-  <xi:include href="egress-firewall-rule.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
   <xi:include href="firewall-rules.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+  <xi:include href="egress-firewall-rule.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
   <xi:include href="port-forwarding.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
 </section>

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/80cfc81b/docs/en-US/vnmc-cisco.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/vnmc-cisco.xml b/docs/en-US/vnmc-cisco.xml
index 924806c..3d20160 100644
--- a/docs/en-US/vnmc-cisco.xml
+++ b/docs/en-US/vnmc-cisco.xml
@@ -107,11 +107,11 @@
       <title>Guidelines</title>
       <para>When a guest network is created with Cisco VNMC firewall provider, an additional
public
         IP is acquired along with the Source NAT IP. The Source NAT IP is used for the ASA
outside
-        interface, whereas the addition IP is used to workaround an ASA limitation. Ensure
that this
-        additional public IP is not released. You can identify this IP as soon as the network
is in
-        implemented state and before acquiring any further public IPs. The additional IP
is the one
-        that is not marked as Source NAT. You can find the IP used for the ASA outside interface
by
-        looking at the Cisco VNMC used in your guest network.</para>
+        interface, whereas the additional IP is used to workaround an ASA limitation. Ensure
that
+        this additional public IP is not released. You can identify this IP as soon as the
network
+        is in implemented state and before acquiring any further public IPs. The additional
IP is
+        the one that is not marked as Source NAT. You can find the IP used for the ASA outside
+        interface by looking at the Cisco VNMC used in your guest network.</para>
     </section>
     <section id="how-to-asa">
       <title>Using Cisco ASA 1000v Services</title>


Mime
View raw message