hi, thank you. i guess this should be documented explicitly. i submitted api-site patch: https://review.openstack.org/#/c/272882/ On Wed, Jan 27, 2016 at 3:01 AM, Sridar Kandaswamy (skandasw) <skandasw at cisco.com> wrote: > Hi Takashi: > > There were discussions around this sometime in the H cycle w.r.t the > reference implementation. IIRC, the consensus was that if a Firewall is > configured, the points of insertion should be conservative and drop all > traffic when admin_state_up is False. Only removing the Firewall will pass > all traffic. And the code does that [1] which u have probab already > checked. > > [1] > https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/servic > es/firewall/drivers/linux/iptables_fwaas.py#L120 > > Thanks > > Sridar > > > On 1/26/16, 2:15 AM, "Takashi Yamamoto" <yamamoto at midokura.com> wrote: > >>hi, >> >>what a firewall with admin_state_up=False should do? >>my intuition says such a firewall should pass all traffic. (same as no >>firewall) >>but the reference implementation seems to block everything. (same as a >>firewall without any rules) >>i wrote a tempest test case (test_firewall_disable_rule) mirroring the >>behaviour of the reference implementation >>because i couldn't find any documentation. >>but i'm now wondering if it was correct. >>is the reference implementation's behavior intended? how other vendors >>do? >> >>__________________________________________________________________________ >>OpenStack Development Mailing List (not for usage questions) >>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev