Open Stack

Hi Sridar,

Yes I know this is only for phase 1, while I'm also thinking about how it should be in next phase. At least, zone concept should be introduced, we may use it to replace SG, to eliminate potential conflicts of defining ACL in two different places.

________________________________
From: Sridar Kandaswamy (skandasw) [skandasw at cisco.com]
Sent: Thursday, August 14, 2014 10:12 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron] Simple proposal for stabilizing new features in-tree

Hi Wuhongning:

Yes u are correct – this is phase 1 to at least get basic perimeter firewall support working with DVR before looking for an optimal way to address E – W traffic.

Thanks

Sridar

From: Wuhongning <wuhongning at huawei.com<mailto:wuhongning at huawei.com>>
Reply-To: OpenStack List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Thursday, August 14, 2014 at 1:05 AM
To: OpenStack List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [Neutron] Simple proposal for stabilizing new features in-tree

FWaas can't seamlessly work with DVR yet. A BP [1] has been submitted, but it can only handle NS traffic, leaving W-E untouched. If we implement the WE firewall in DVR, the iptable might be applied at a per port basis, so there are some overlapping with SG (Can we image a packet run into iptable hook twice between VM and the wire, for both ingress and egress directions?).

Maybe the overall service plugins (including service extension in ML2) needs some cleaning up, It seems that Neutron is just built from separate single blocks.

[1]  http://git.openstack.org/cgit/openstack/neutron-specs/tree/specs/juno/neutron-dvr-fwaas.rst

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140815/84e94e63/attachment.html>