[openstack-dev] [neutron][fwaas] how a disabled firewall should behave
Sridar Kandaswamy (skandasw)
skandasw at cisco.com
Tue Jan 26 18:01:10 UTC 2016
Hi Takashi:
There were discussions around this sometime in the H cycle w.r.t the
reference implementation. IIRC, the consensus was that if a Firewall is
configured, the points of insertion should be conservative and drop all
traffic when admin_state_up is False. Only removing the Firewall will pass
all traffic. And the code does that [1] which u have probab already
checked.
[1]
https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/servic
es/firewall/drivers/linux/iptables_fwaas.py#L120
Thanks
Sridar
On 1/26/16, 2:15 AM, "Takashi Yamamoto" <yamamoto at midokura.com> wrote:
>hi,
>
>what a firewall with admin_state_up=False should do?
>my intuition says such a firewall should pass all traffic. (same as no
>firewall)
>but the reference implementation seems to block everything. (same as a
>firewall without any rules)
>i wrote a tempest test case (test_firewall_disable_rule) mirroring the
>behaviour of the reference implementation
>because i couldn't find any documentation.
>but i'm now wondering if it was correct.
>is the reference implementation's behavior intended? how other vendors
>do?
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list