[openstack-dev] [neutron][fwaas] how a disabled firewall should behave

Takashi Yamamoto yamamoto at midokura.com
Wed Jan 27 03:14:53 UTC 2016


thank you.
i guess this should be documented explicitly.
i submitted api-site patch: https://review.openstack.org/#/c/272882/

On Wed, Jan 27, 2016 at 3:01 AM, Sridar Kandaswamy (skandasw)
<skandasw at cisco.com> wrote:
> Hi Takashi:
> There were discussions around this sometime in the H cycle w.r.t the
> reference implementation. IIRC, the consensus was that if a Firewall is
> configured, the points of insertion should be conservative and drop all
> traffic when admin_state_up is False. Only removing the Firewall will pass
> all traffic. And the code does that [1] which u have probab already
> checked.
> [1]
> https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/servic
> es/firewall/drivers/linux/iptables_fwaas.py#L120
> Thanks
> Sridar
> On 1/26/16, 2:15 AM, "Takashi Yamamoto" <yamamoto at midokura.com> wrote:
>>what a firewall with admin_state_up=False should do?
>>my intuition says such a firewall should pass all traffic. (same as no
>>but the reference implementation seems to block everything. (same as a
>>firewall without any rules)
>>i wrote a tempest test case (test_firewall_disable_rule) mirroring the
>>behaviour of the reference implementation
>>because i couldn't find any documentation.
>>but i'm now wondering if it was correct.
>>is the reference implementation's behavior intended?  how other vendors
>>OpenStack Development Mailing List (not for usage questions)
>>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list