[Openstack] [Neutron][FWaaS] Doubts with FWaaS
Sumit Naiksatam
sumitnaiksatam at gmail.com
Thu Dec 12 06:38:28 UTC 2013
Thats seems correct. You want to check for the iptables in the router's
namespace. Also check for anything in the neutron or the l3-agent logs.
Thanks,
~Sumit.
On Wed, Dec 11, 2013 at 10:35 PM, trinath.somanchi at freescale.com <
trinath.somanchi at freescale.com> wrote:
> Hi-
>
>
>
> Yes!, I have configured Fwaas Driver this way in neutron.conf
>
>
>
> [fwaas]
>
> driver =
> neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
>
> enabled = True
>
>
>
>
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* Sumit Naiksatam [mailto:sumitnaiksatam at gmail.com]
> *Sent:* Wednesday, December 11, 2013 10:15 PM
> *To:* Remo Mattei
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> Is the fwaas_driver configured correctly?
>
>
>
> On Wed, Dec 11, 2013 at 6:42 AM, Remo Mattei <remo at mattei.org> wrote:
>
> What are you trying to do?
>
> Inviato da iPhone ()
>
>
> Il giorno Dec 11, 2013, alle ore 3:02, "trinath.somanchi at freescale.com" <
> trinath.somanchi at freescale.com> ha scritto:
>
> Hi-
>
>
>
> I have a Network 12.12.12.0/24 connected to a router (router1)
>
>
>
> I have got the neutron based chains in iptables too..
>
>
>
> Chain INPUT (policy ACCEPT 451K packets, 126M bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 413K 119M neutron-openvswi-INPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 48090 14M nova-compute-INPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 262K 75M nova-network-INPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 264K 76M nova-api-INPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:53
>
> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:53
>
> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:67
>
> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:67
>
>
>
> Chain FORWARD (policy ACCEPT 18 packets, 2855 bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 22 4189 neutron-filter-top all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 22 4189 neutron-openvswi-FORWARD all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 18 2855 nova-filter-top all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 nova-compute-FORWARD all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 nova-network-FORWARD all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 nova-api-FORWARD all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 ACCEPT all -- * virbr0 0.0.0.0/0
> 192.168.122.0/24 ctstate RELATED,ESTABLISHED
>
> 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
> 0.0.0.0/0
>
> 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 REJECT all -- * virbr0 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
>
>
> Chain OUTPUT (policy ACCEPT 450K packets, 124M bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 413K 116M neutron-filter-top all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 413K 116M neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 450K 124M nova-filter-top all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 49273 14M nova-compute-OUTPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 263K 77M nova-network-OUTPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 265K 77M nova-api-OUTPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain neutron-filter-top (2 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 413K 116M neutron-openvswi-local all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain neutron-openvswi-FORWARD (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 2 706 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0
> 0.0.0.0/0 PHYSDEV match --physdev-out tap761426aa-f9
> --physdev-is-bridged
>
> 2 628 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0
> 0.0.0.0/0 PHYSDEV match --physdev-in tap761426aa-f9
> --physdev-is-bridged
>
>
>
> Chain neutron-openvswi-INPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 neutron-openvswi-o761426aa-f all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
> tap761426aa-f9 --physdev-is-bridged
>
>
>
> Chain neutron-openvswi-OUTPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain neutron-openvswi-i761426aa-f (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
>
> 0 0 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
>
> 2 706 RETURN udp -- * * 12.12.12.3
> 0.0.0.0/0 udp spt:67 dpt:68
>
> 0 0 neutron-openvswi-sg-fallback all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
>
>
> Chain neutron-openvswi-local (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain neutron-openvswi-o761426aa-f (2 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 2 628 RETURN udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:68 dpt:67
>
> 0 0 neutron-openvswi-s761426aa-f all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
> 0 0 DROP udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:67 dpt:68
>
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
>
> 0 0 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
>
> 0 0 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 neutron-openvswi-sg-fallback all -- * *
> 0.0.0.0/0 0.0.0.0/0
>
>
>
> Chain neutron-openvswi-s761426aa-f (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 RETURN all -- * * 12.12.12.2
> 0.0.0.0/0 MAC FA:16:3E:35:F9:57
>
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain neutron-openvswi-sg-chain (2 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 2 706 neutron-openvswi-i761426aa-f all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out
> tap761426aa-f9 --physdev-is-bridged
>
> 2 628 neutron-openvswi-o761426aa-f all -- * *
> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
> tap761426aa-f9 --physdev-is-bridged
>
> 4 1334 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain neutron-openvswi-sg-fallback (2 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-api-FORWARD (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-api-INPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 10.10.10.100 tcp dpt:8775
>
>
>
> Chain nova-api-OUTPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-api-local (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-compute-FORWARD (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 ACCEPT udp -- * * 0.0.0.0
> 255.255.255.255 udp spt:68 dpt:67
>
>
>
> Chain nova-compute-INPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 2 628 ACCEPT udp -- * * 0.0.0.0
> 255.255.255.255 udp spt:68 dpt:67
>
>
>
> Chain nova-compute-OUTPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-compute-inst-26 (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
>
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
>
> 0 0 nova-compute-provider all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 ACCEPT udp -- * * 12.12.12.3
> 0.0.0.0/0 udp spt:67 dpt:68
>
> 0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-compute-local (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 nova-compute-inst-26 all -- * * 0.0.0.0/0
> 12.12.12.2
>
>
>
> Chain nova-compute-provider (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-compute-sg-fallback (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-filter-top (2 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 49273 14M nova-compute-local all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 263K 77M nova-network-local all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 265K 77M nova-api-local all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-network-FORWARD (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-network-INPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-network-OUTPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-network-local (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> But then there are chain with name “neutron-l3-agent”
>
>
>
> Is there anything am I missing ?
>
>
>
> Kindly guide me in this regard.
>
>
>
>
>
>
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* 郭龙仓 [mailto:guolongcang.work at gmail.com<guolongcang.work at gmail.com>]
>
> *Sent:* Wednesday, December 11, 2013 2:16 PM
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> well , maybe you can show me your tenant network topology.
>
>
>
> 2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>
>
> Yes..
>
> I have controller + network + compute node in a single machine.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* 郭龙仓 [mailto:guolongcang.work at gmail.com]
> *Sent:* Wednesday, December 11, 2013 2:08 PM
>
>
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> all-in-one deploy ? qr-{xxx} device is created on the network node .
>
>
>
> 2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>
>
> Hi-
>
>
>
> I have the following chains in the iptables.
>
>
>
> root at havana:~# iptables -L -n -v
>
> Chain INPUT (policy ACCEPT 6021 packets, 474K bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 5921 465K nova-api-INPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:53
>
> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:53
>
> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:67
>
> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:67
>
>
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 nova-filter-top all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 nova-api-FORWARD all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 ACCEPT all -- * virbr0 0.0.0.0/0
> 192.168.122.0/24 ctstate RELATED,ESTABLISHED
>
> 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
> 0.0.0.0/0
>
> 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
> 0.0.0.0/0
>
> 0 0 REJECT all -- * virbr0 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> 0 0 REJECT all -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
>
>
> Chain OUTPUT (policy ACCEPT 6746 packets, 462K bytes)
>
> pkts bytes target prot opt in out source
> destination
>
> 6614 452K nova-filter-top all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> 6614 452K nova-api-OUTPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-api-FORWARD (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-api-INPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 10.10.10.100 tcp dpt:8775
>
>
>
> Chain nova-api-OUTPUT (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-api-local (1 references)
>
> pkts bytes target prot opt in out source
> destination
>
>
>
> Chain nova-filter-top (2 references)
>
> pkts bytes target prot opt in out source
> destination
>
> 6614 452K nova-api-local all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
>
>
> I find none with the names suggested below. Am I missing any of the
> configurations required.
>
>
>
> Kindly help me in this regard.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* 郭龙仓 [mailto:guolongcang.work at gmail.com]
> *Sent:* Wednesday, December 11, 2013 1:46 PM
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> FWaaS is implemented through iptables on qr-{xxx} device , one inbound
> chain named like neutron-l3-agent-iv{xxx} and one outbound chain named
> like neutron-l3-agent-ov{xxx} .
>
>
>
> You can check the qr-{xxx} device's iptables rules.
>
>
>
> 2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>
>
> Hi stackers-
>
>
>
> I have configured FWaas with Neutron.
>
>
>
> Also, I have created a simple firewall rule, added the same to a policy
> and created a firewall with this policy from CLI
>
>
>
> The firewall is in ERROR state.
>
>
>
> The rules and the policies were added to the DB.
>
>
>
> How do I debug to find the error. Also, will these rules be added to the
> iptables?
>
>
>
> Help be troubleshoot and understand the same.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
>
>
> !DSPAM:2,52a84b75265441149516157!
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:2,52a84b75265441149516157!
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131211/4be6efcd/attachment.html>
More information about the Openstack
mailing list