[Openstack] [FWaaS] Doubts with FWaaS

郭龙仓 guolongcang.work at gmail.com
Wed Dec 11 08:46:09 UTC 2013 

well , maybe you can show me your tenant network topology.


2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>

>  Yes..
>
> I have controller + network + compute node in a single machine.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* 郭龙仓 [mailto:guolongcang.work at gmail.com]
> *Sent:* Wednesday, December 11, 2013 2:08 PM
>
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> all-in-one deploy ?  qr-{xxx} device is created on the network node .
>
>
>
> 2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>
>
> Hi-
>
>
>
> I have the following chains in the iptables.
>
>
>
> root at havana:~# iptables -L -n -v
>
> Chain INPUT (policy ACCEPT 6021 packets, 474K bytes)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>  5921  465K nova-api-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:53
>
>     0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:53
>
>     0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:67
>
>     0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:67
>
>
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 nova-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 nova-api-FORWARD  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0
> 192.168.122.0/24     ctstate RELATED,ESTABLISHED
>
>     0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24
> 0.0.0.0/0
>
>     0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 REJECT     all  --  *      virbr0  0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
>
>     0     0 REJECT     all  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
>
>
>
> Chain OUTPUT (policy ACCEPT 6746 packets, 462K bytes)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>  6614  452K nova-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  6614  452K nova-api-OUTPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-api-FORWARD (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-api-INPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 10.10.10.100         tcp dpt:8775
>
>
>
> Chain nova-api-OUTPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-api-local (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-filter-top (2 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>  6614  452K nova-api-local  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
>
>
> I find none with the names suggested below. Am I missing any of the
> configurations required.
>
>
>
> Kindly help me in this regard.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* 郭龙仓 [mailto:guolongcang.work at gmail.com]
> *Sent:* Wednesday, December 11, 2013 1:46 PM
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> FWaaS is implemented through iptables on qr-{xxx} device , one inbound
> chain named like neutron-l3-agent-iv{xxx} and one outbound chain named
> like  neutron-l3-agent-ov{xxx}  .
>
>
>
> You can check the qr-{xxx} device's iptables rules.
>
>
>
> 2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>
>
> Hi stackers-
>
>
>
> I have configured FWaas with Neutron.
>
>
>
> Also, I have created a simple firewall rule, added the same to a policy
> and created a firewall with this policy from CLI
>
>
>
> The firewall is in ERROR state.
>
>
>
> The rules and the policies were added to the DB.
>
>
>
> How do I debug to find the error. Also, will these rules be added to the
> iptables?
>
>
>
> Help be troubleshoot and understand the same.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131211/a514893f/attachment.html>

More information about the Openstack mailing list