1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
|
heat_template_version: 2013-05-23
description: >
Based on the following reference for the HOT-DMZ-FW template:
Version 3.5 8-10-2015 (Authors: Art Mishurov,am254u & Johhny Chen, jc3066) - HOT-DMZ-FW template that creates two DMZ networks (direct and protected) with a scaled out firewall service between the two.
parameters:
hsl_direct_net1:
type: string
hsl_direct_net2:
type: string
hsl_direct_net3:
type: string
hsl_direct_net4:
type: string
HSL_direct_net_id:
type: string
description: Name of HSL (Logging) network
HSL_direct_net_cidr:
type: string
description: HSL (Logging) network address (CIDR notation)
HSL_direct_net_gateway:
type: string
description: HSL (Logging) network gateway address
oam_mgmt_net_0_id:
type: string
description: Name of OAM network
Cricket_OCS_direct_net_id:
type: string
description: Name of Cricket OCS network
Cricket_OCS_protected_net_id:
type: string
description: Name of Cricket OCS network
service_instance_name:
type: string
description: Service instance name
service_policy_name:
type: string
description: Policy Name
service_policy_direction:
type: string
description: Direction of Policy
start_src_ports:
type: number
description: Start of src port
end_src_ports:
type: number
description: End of src port
start_dst_ports:
type: number
description: Start of dst port
end_dst_ports:
type: number
description: End of dst port
st_name:
type: string
description: Name of service template
st_mode:
type: string
description: service mode
st_type:
type: string
description: service type
st_image_name:
type: string
description: Name of the image
st_flavor:
type: string
description: Flavor
st_service_interface_type_list:
type: string
description: List of interface types
st_shared_ip_list:
type: string
description: List of shared ip enabled-disabled
st_static_routes_list:
type: string
description: List of static routes enabled-disabled
st_scaling:
type: string
description: Indicates whether service scaling is enabled
max_num_fw_instances:
type: number
description: maximum number of firewall instances for scaling
availability_zone_1:
type: string
description: availability zone
network_param1:
type: string
network_param2:
type: string
resources:
hsl_direct_net:
type: OS::Contrail::VirtualNetwork
properties:
name: { get_param: HSL_direct_net_id }
hsl_ip_subnet:
type: OS::Neutron::Subnet
properties:
network_id: { get_resource: hsl_direct_net }
cidr: { get_param: HSL_direct_net_cidr }
gateway_ip: { get_param: HSL_direct_net_gateway }
service_template:
type: OS::Contrail::ServiceTemplate
properties:
name: { get_param: st_name }
service_mode: { get_param: st_mode }
service_type: { get_param: st_type }
image_name: { get_param: st_image_name }
flavor: { get_param: st_flavor }
service_interface_type_list: { "Fn::Split" : [ ",", Ref: st_service_interface_type_list ] }
shared_ip_list: { "Fn::Split" : [ ",", Ref: st_shared_ip_list ] }
static_routes_list: { "Fn::Split" : [ ",", Ref: st_static_routes_list ] }
service_scaling: { get_param: st_scaling }
service_instance3:
type: OS::Contrail::ServiceInstance
depends_on: [ hsl_ip_subnet]
properties:
name: { get_param: service_instance_name }
availability_zone: { get_param: availability_zone_1 }
service_template: { get_resource: service_template }
scale_out:
max_instances: {get_param: max_num_fw_instances}
interface_list: [
{
virtual_network: { get_param: network_param1 }
},
{
virtual_network: { get_param: network_param1 }
},
{
virtual_network: { get_param: network_param2 }
}
]
service_instance1:
type: OS::Contrail::ServiceInstance
depends_on: [ hsl_ip_subnet]
properties:
name: { get_param: service_instance_name }
availability_zone: { get_param: availability_zone_1 }
service_template: { get_resource: service_template }
scale_out:
max_instances: {get_param: max_num_fw_instances}
interface_list: [
{
virtual_network: { get_param: network_param2 }
},
{
virtual_network: { get_param: network_param1 }
},
{
virtual_network: { get_param: network_param2 }
}
]
service_policy:
type: OS::Contrail::NetworkPolicy
depends_on: [ service_instance3 ]
properties:
name: { get_param: service_policy_name }
entries:
policy_rule: [
{
"direction": { get_param: service_policy_direction },
"protocol": "any",
"src_ports": [{"start_port": {get_param: start_src_ports}, "end_port": {get_param: end_src_ports}}],
"dst_ports": [{"start_port": {get_param: start_dst_ports}, "end_port": {get_param: end_dst_ports}}],
"dst_addresses": [{ "virtual_network": { get_param: Cricket_OCS_direct_net_id }}],
"action_list": { "apply_service": [{ get_resource: service_instance3 }]},
"src_addresses": [{ "virtual_network": { get_param: Cricket_OCS_protected_net_id }}],
},
]
service_policy_attach_direct_net:
type: OS::Contrail::AttachPolicy
depends_on: [ service_policy ]
properties:
network: { get_param: Cricket_OCS_direct_net_id }
policy: { get_attr: [service_policy, fq_name] }
service_policy_attach_protected_net:
type: OS::Contrail::AttachPolicy
depends_on: [ service_policy ]
properties:
network: { get_param: Cricket_OCS_protected_net_id }
policy: { get_attr: [service_policy, fq_name] }
test_nested3:
type: OCS-fw3.yml
properties:
network_param1: { get_param: network_param1}
network_param2: { get_param: network_param1}
|
