cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sheng Yang <>
Subject [IP Clearance] CLOUDSTACK-306 SRX&F5 inline mode
Date Wed, 16 Jan 2013 01:53:41 GMT

I'd like to start the process of IP Clearance for CLOUDSTACK-306:
SRX&F5 inline mode support.

Citrix would like to donate this code to Apache Cloudstack.

This feature extended the support for external network devices for Cloudstack.

In the Cloudstack 4.0 release, it's only able to work with SRX and F5
in side-by-side mode, which means all the traffic going through F5
load balancer would bypass SRX firewall, and F5 would facing the
public network directly. Cloudstack 4.0 still have some obsolete codes
to deal with inline mode back to 2.2.x era, but they're not functional
after NaaS work in 3.0 release.

After reintroducing this feature, SRX is able to working as the
firewall for the whole guest network(isolated network), including F5.
Every load balancing traffic must go through SRX, in order to reach

In order to support inline mode, in the first patch, I had
re-implemented the firewall part SRX to make it able to filter based
on public ip we're using to identify the traffic, using firewall
filter of SRX.

In the second patch, I've investigated the possibility of using one F5
instance in site-by-site mode and inline-mode at the same time, and
found it doable. So I make "inline" a parameter for network offering,
not an option for device(e.g. F5).

And I have reimplemented the inline mode feature in the third patch.

The whole patchset mostly deal with external devices related filres,
There are also some refactor works regarding

The patchset is at:

Since there are three patches, I've checksumed and signed the tar ball.

The related Jira ticket at:

The function spec is at:

The previous discussion happened on:

There is no objection on this feature at the time of discussion.

Thank you!


View raw message