[openstack-dev] [neutron][fwaas] how a disabled firewall should behave

Sridar Kandaswamy (skandasw) skandasw at cisco.com
Tue Jan 26 18:01:10 UTC 2016

Hi Takashi:

There were discussions around this sometime in the H cycle w.r.t the
reference implementation. IIRC, the consensus was that if a Firewall is
configured, the points of insertion should be conservative and drop all
traffic when admin_state_up is False. Only removing the Firewall will pass
all traffic. And the code does that [1] which u have probab already




On 1/26/16, 2:15 AM, "Takashi Yamamoto" <yamamoto at midokura.com> wrote:

>what a firewall with admin_state_up=False should do?
>my intuition says such a firewall should pass all traffic. (same as no
>but the reference implementation seems to block everything. (same as a
>firewall without any rules)
>i wrote a tempest test case (test_firewall_disable_rule) mirroring the
>behaviour of the reference implementation
>because i couldn't find any documentation.
>but i'm now wondering if it was correct.
>is the reference implementation's behavior intended?  how other vendors
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the OpenStack-dev mailing list