[openstack-dev] [neutron][fwaas] how a disabled firewall should behave

James Denton james.denton at rackspace.com
Tue Jan 26 15:00:46 UTC 2016

Hi Takashi,

At least in Liberty, with the reference iptables firewall, it looks like setting the admin state of the firewall to DOWN results in traffic hitting only the neutron-l3-agent-fwaas-defau chain. The action there is to DROP all traffic.


On 1/26/16, 4:15 AM, "Takashi Yamamoto" <yamamoto at midokura.com> wrote:

>what a firewall with admin_state_up=False should do?
>my intuition says such a firewall should pass all traffic. (same as no firewall)
>but the reference implementation seems to block everything. (same as a
>firewall without any rules)
>i wrote a tempest test case (test_firewall_disable_rule) mirroring the
>behaviour of the reference implementation
>because i couldn't find any documentation.
>but i'm now wondering if it was correct.
>is the reference implementation's behavior intended?  how other vendors do?
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the OpenStack-dev mailing list