Hi, I'd like to start the process of IP Clearance for CLOUDSTACK-306: SRX&F5 inline mode support.
Citrix would like to donate this code to Apache Cloudstack. This feature extended the support for external network devices for Cloudstack. In the Cloudstack 4.0 release, it's only able to work with SRX and F5 in side-by-side mode, which means all the traffic going through F5 load balancer would bypass SRX firewall, and F5 would facing the public network directly. Cloudstack 4.0 still have some obsolete codes to deal with inline mode back to 2.2.x era, but they're not functional after NaaS work in 3.0 release. After reintroducing this feature, SRX is able to working as the firewall for the whole guest network(isolated network), including F5. Every load balancing traffic must go through SRX, in order to reach F5. In order to support inline mode, in the first patch, I had re-implemented the firewall part SRX to make it able to filter based on public ip we're using to identify the traffic, using firewall filter of SRX. In the second patch, I've investigated the possibility of using one F5 instance in site-by-site mode and inline-mode at the same time, and found it doable. So I make "inline" a parameter for network offering, not an option for device(e.g. F5). And I have reimplemented the inline mode feature in the third patch. The whole patchset mostly deal with external devices related filres, e.g. JuniperSrxResource.java, ExternalFirewallDeviceManagerImpl.java, F5BigIpResource.java, ExternalLoadBalancerDeviceManagerImpl.java. There are also some refactor works regarding NetworkManagerImpl.java. The patchset is at: http://people.apache.org/~yasker/ Since there are three patches, I've checksumed and signed the tar ball. The related Jira ticket at: https://issues.apache.org/jira/browse/CLOUDSTACK-306 The function spec is at: https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-spec.html The previous discussion happened on: http://markmail.org/message/jnpl5b7b6cqqmrui There is no objection on this feature at the time of discussion. Thank you! --Sheng
