[openstack-dev] [neutron][fwaas][dvr] FWaaS with DVR

Carl Baldwin carl at ecbaldwin.net
Mon Aug 31 17:05:04 UTC 2015


Hi,

I did take the opportunity to read through your etherpad today.  Many
of the solutions that you propose have been discussed in the past but
there just hasn't been a traction on the problem.  You did a fine job
of writing this up and I think we should use your etherpad as a
central point for discussion.

I know that the original DVR team also did some discussion around this
and I believe had some documents with possible solutions.  I don't
know where those are at the moment and so I would also like to hear
from them.

It will be difficult to decide on a solution to this problem without
first knowing how fwaas and security groups will be going forward.  I
look forward to some good discussions at the summit.

Carl

On Wed, Aug 19, 2015 at 10:56 AM, Mickey Spiegel <emspiege at us.ibm.com> wrote:
> Resending, forgot the [neutron] tag
>
> -----Mickey Spiegel/San Jose/IBM wrote: -----
> To: openstack-dev at lists.openstack.org
> From: Mickey Spiegel/San Jose/IBM
> Date: 08/19/2015 09:45AM
> Subject: [fwaas][dvr] FWaaS with DVR
>
>
> Currently, FWaaS behaves differently with DVR, applying to only north/south
> traffic, whereas FWaaS on routers in network nodes applies to both
> north/south and east/west traffic. There is a compatibility issue due to the
> asymmetric design of L3 forwarding in DVR, which breaks the connection
> tracking that FWaaS currently relies on.
>
> I started an etherpad where I hope the community can discuss the problem,
> collect multiple possible solutions, and eventually try to reach consensus
> about how to move forward:
> https://etherpad.openstack.org/p/FWaaS_with_DVR
>
> I listed every possible solution that I can think of as a starting point. I
> am somewhat new to OpenStack and FWaaS, so please correct anything that I
> might have misrepresented.
>
> Please add more possible solutions and comment on the possible solutions
> already listed.
>
> Mickey
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list