<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 08/28/2015 02:53 PM, Germy Lure wrote:
<blockquote
cite="mid:CAEfdOg363qG6K0TphoZUC9t_HJxXjTVUFUxn0Hg2ztyXH=sAMA@mail.gmail.com"
type="cite">
<div dir="ltr">Hi all,
<div><br>
</div>
<div>I have two points.</div>
<div>a. For the problem in this thread, my suggestion is to
introduce new concepts to replace the existing firewall and
SG.</div>
<div>Perhaps you have found the overlap between firewall and SG.
It's trouble for user to select.</div>
<div>So the new concepts are edge-firewall for N/S traffic and
Distributed firewall for W/E traffic. The former is similar to
the existing firewall but without E/W controlling and deployed
on those nodes connect with external world. The latter
controls E/W traffic such as subnet to subnet, VM to VM and
subnet to VM and will be deployed on compute nodes.</div>
<div><br>
</div>
<div>We can attach firewall rules to VM port implicitly,
especially the DVR is disabled. I think it's difficult for a
user to do that explicitly while there are hundreds VMs.</div>
<div><br>
</div>
<div>b. For the problems like this.</div>
<div>From recent mailing list, we can see so many problems
introduced by DVR. Such as VPNaaS, floating-IP and FWaaS
co-existing with DVR, etc..</div>
<div>Then, stackers, I don't know what's the standard or
outgoing check of releasing a feature in community. But can we
make or add some provisions or something else in order to
avoid conflict between features?</div>
<div><br>
</div>
<div>Forgive my poor English</div>
<div>BR,</div>
<div>Germy</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 27, 2015 at 11:44 PM,
Mickey Spiegel <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:emspiege@us.ibm.com" target="_blank">emspiege@us.ibm.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Bump<br>
<br>
The FWaaS team would really like some feedback from the DVR
side.<br>
<span class="HOEnZb"><font color="#888888"><br>
Mickey<br>
</font></span><span class="im HOEnZb"><br>
-----Mickey Spiegel/San Jose/IBM wrote: -----<br>
To: <a moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><br>
From: Mickey Spiegel/San Jose/IBM<br>
Date: 08/19/2015 09:45AM<br>
Subject: [fwaas][dvr] FWaaS with DVR<br>
<br>
Currently, FWaaS behaves differently with DVR, applying to
only north/south traffic, whereas FWaaS on routers in
network nodes applies to both north/south and east/west
traffic. There is a compatibility issue due to the
asymmetric design of L3 forwarding in DVR, which breaks
the connection tracking that FWaaS currently relies on.<br>
<br>
I started an etherpad where I hope the community can
discuss the problem, collect multiple possible solutions,
and eventually try to reach consensus about how to move
forward:<br>
<a moz-do-not-send="true"
href="https://etherpad.openstack.org/p/FWaaS_with_DVR"
rel="noreferrer" target="_blank">https://etherpad.openstack.org/p/FWaaS_with_DVR</a><br>
<br>
I listed every possible solution that I can think of as a
starting point. I am somewhat new to OpenStack and FWaaS,
so please correct anything that I might have
misrepresented.<br>
<br>
Please add more possible solutions and comment on the
possible solutions already listed.<br>
<br>
Mickey<br>
<br>
<br>
<br>
<br>
</span>
<div class="HOEnZb">
<div class="h5">__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
I agree that FWaas is overlap with security group, and many my
colleagues who try to use neutron api always ask me a question, what
is the difference between<br>
security group and FWaaS? I try to explain, FWaas is not only
responsible security for E/W traffic but also responsible for N/S
traffic, and security group is definitely <br>
used to security E/W traffic. <br>
Now in kilo release, DVR is the related mature feature in
neutron, but it isn't compatible with FWaaS, in DVR deployment,
personally, i think FWaaS only takes care<br>
of N/S traffic that is reasonable, and security group takes care of
E/W traffic.<br>
<br>
denghui<br>
Br<br>
<br>
<br>
</body>
</html>