Versions Compared

Old Version 15

changes.mady.by.user Srinivasa Addepalli

Saved on

compared with

New Version 16

changes.mady.by.user cheng1.li

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languageyml
titleFirewallConf
apiVersion: batch.sdewan.akraino.org/v1alpha1
kind: FirewallConf
metadata:
  name: example-firewall
spec:
  zones:
    - name: lan
      network:
        - ovn-net2
      input: REJECT
      output: ACCEPT
    - name: wan
      network:
        - ovn-net1
      input: REJECT
      output: ACCEPT
  redirects:
    - name: DNAT-LAN
      src: wan
      src_dport: 1990
      dest: lan
      dest_port: 22
      proto: tcp
      target: DNAT
  rules:
    - name: REJECT_LAN_80
      src: lan
      src_ip: 192.168.1.2
      src_port: 80
      proto: tcp
      target: REJECT
  forwardings:
    - name: lan-wan
      src: lan
      dest: wan


The reconcile function logic

Image Added

The controller behave

  • Monitor Sdewan instance and Mwan3Conf/FirewallConf instance
  • When Mwan3Conf/FirewallConf instance created/update:
    • validate the instance Spec by API admission webhook 
    • If this Conf instance is used by any Sdewan instance, then info the Sdewan controller to apply the conf.
  • When Mwan3Conf/FirewallConf instance being deleted:
    • If this Conf instance is used by any Sdwan instance, prevent the delete action
  • When Sdwan instance created/updated:
    • Creates sdewan deployment/pod if it does not exist
    • Apply the Conf if the Conf instance exists
  • When Sdwan instance deleted:
    • Delete the deployment/pod