[Openstack] [Neutron][FWaaS] Doubts with FWaaS

Ashok Kumaran ashokkumaran.b at gmail.com
Thu Dec 12 07:26:02 UTC 2013


You should check the rules under qrouter namespace, did you try that?

something like below
#ip netns exec qr-XX iptables -L

regards,
Ashok

On Thu, Dec 12, 2013 at 12:39 PM, trinath.somanchi at freescale.com <
trinath.somanchi at freescale.com> wrote:

>  I have created some rules and added to Policy which is added to firewall
> which is in ACTIVE state.
>
>
>
> I have found the following in the firewall logs
>
>
>
> root at havana:/usr/lib/python2.7/dist-packages/neutron/common# tail -f
> /var/log/neutron/l3-agent.log | grep firewall
>
> 2013-12-12 12:34:57.176 19582 DEBUG neutron.openstack.common.rpc.amqp [-]
> received {u'_context_roles': [u'admin'], u'_context_read_deleted': u'no',
> u'_context_tenant_id': u'18088213420b45109da582f677ed8367', u'args':
> {u'firewall': {u'status': u'PENDING_UPDATE', u'name': u'Firewall-Test',
> u'admin_state_up': True, u'tenant_id': u'18088213420b45109da582f677ed8367',
> u'firewal_policy_id': u'255b8347-2069-4980-a911-a521a3e5b571', u'shared':
> None, u'id': u'5add0082-54b8-468e-b764-6c6d62d11b4b',
> u'firewall_rule_list': [{u'protocol': u'tcp', u'description': u'',
> u'ip_version': 4, u'tenant_id': u'18088213420b45109da582f677ed8367',
> u'enabled': True, u'source_ip_address': u'10.10.10.100',
> u'destination_ip_address': u'10.10.10.200', u'firewall_policy_id':
> u'255b8347-2069-4980-a911-a521a3e5b571', u'action': u'allow', u'shared':
> False, u'source_port': u'8010', u'position': 1, u'destination_port':
> u'8010', u'id': u'f60fe35d-5bc8-4973-bd4e-ddac85012624', u'name':
> u'rule2'}, {u'protocol': u'tcp', u'description': u'Allow Port 80',
> u'ip_version': 4, u'tenant_id': u'18088213420b45109da582f677ed8367',
> u'enabled': True, u'source_ip_address': u'10.10.10.100',
> u'destination_ip_address': u'10.10.10.200', u'firewall_policy_id':
> u'255b8347-2069-4980-a911-a521a3e5b571', u'action': u'allow', u'shared':
> True, u'source_port': u'80', u'position': 2, u'destination_port': u'80',
> u'id': u'6fbfbe3e-fefa-49f7-8189-431da4e12d8a', u'name': u'allow80'},
> {u'protocol': u'tcp', u'description': u'', u'ip_version': 4, u'tenant_id':
> u'18088213420b45109da582f677ed8367', u'enabled': True,
> u'source_ip_address': u'10.10.10.100', u'destination_ip_address':
> u'10.10.10.200', u'firewall_policy_id':
> u'255b8347-2069-4980-a911-a521a3e5b571', u'action': u'allow', u'shared':
> False, u'source_port': u'8020', u'position': 3, u'destination_port':
> u'8020', u'id': u'0ad077ab-a61b-4d90-9975-ca4a2d7c5936', u'name':
> u'rule3'}], u'description': u''}, u'host': u'havana'}, u'namespace': None,
> u'_unique_id': u'c1926314dfcb40c19c34ea794cafa7fe', u'_context_is_admin':
> True, u'version': u'1.0', u'_context_project_id':
> u'18088213420b45109da582f677ed8367', u'_context_timestamp': u'2013-12-12
> 07:04:56.847184', u'_context_user_id': u'cb1d76176a07463db848ae89060e5786',
> u'method': u'updatefirewall'} _safe_log
> /usr/lib/python2.7/dist-packages/neutron/openstack/common/rpc/common.py:276
>
> 2013-12-12 12:34:57.182 19582 DEBUG
> neutron.services.firewall.agents.l3reference.firewall_l3_agent [-]
> update_firewall from agent for fw: 5add0082-54b8-468e-b764-6c6d62d11b4b
> _invoke_driver_for_plugin_api
> /usr/lib/python2.7/dist-packages/neutron/services/firewall/agents/l3reference/firewall_l3_agent.py:108
>
> 2013-12-12 12:35:02.718 19582 DEBUG
> neutron.services.firewall.agents.l3reference.firewall_l3_agent [-] Apply fw
> on Router List: '[u'1c317e97-d270-4977-a5d7-27534194049f']'
> _invoke_driver_for_plugin_api
> /usr/lib/python2.7/dist-packages/neutron/services/firewall/agents/l3reference/firewall_l3_agent.py:123
>
> 2013-12-12 12:35:02.718 19582 DEBUG
> neutron.services.firewall.drivers.linux.iptables_fwaas [-] Updating
> firewall 5add0082-54b8-468e-b764-6c6d62d11b4b for tenant
> 18088213420b45109da582f677ed8367) update_firewall
> /usr/lib/python2.7/dist-packages/neutron/services/firewall/drivers/linux/iptables_fwaas.py:82
>
> 2013-12-12 12:35:02.720 19582 DEBUG neutron.openstack.common.rpc.amqp [-]
> Making synchronous call on q-firewall-plugin ... multicall
> /usr/lib/python2.7/dist-packages/neutron/openstack/common/rpc/amqp.py:530
>
>
>
> I want to know what is the command to view these rules apart from the
> neutron CLI ?
>
>
>
> Is there any possibility to view these rules ?
>
>
>
> When I issue the command,  iptables –L,  I’m unable to view the rules,
> Kindly help me to understand the same.
>
>
>
> Please correct me if I’m wrong.
>
>
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* Sumit Naiksatam [mailto:sumitnaiksatam at gmail.com]
> *Sent:* Thursday, December 12, 2013 12:08 PM
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [Neutron][FWaaS] Doubts with FWaaS
>
>
>
> Thats seems correct. You want to check for the iptables in the router's
> namespace. Also check for anything in the neutron or the l3-agent logs.
>
>
>
> Thanks,
>
> ~Sumit.
>
>
>
> On Wed, Dec 11, 2013 at 10:35 PM, trinath.somanchi at freescale.com <
> trinath.somanchi at freescale.com> wrote:
>
> Hi-
>
>
>
> Yes!, I have configured Fwaas Driver this way in neutron.conf
>
>
>
> [fwaas]
>
> driver =
> neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
>
> enabled = True
>
>
>
>
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* Sumit Naiksatam [mailto:sumitnaiksatam at gmail.com]
> *Sent:* Wednesday, December 11, 2013 10:15 PM
> *To:* Remo Mattei
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> Is the fwaas_driver configured correctly?
>
>
>
> On Wed, Dec 11, 2013 at 6:42 AM, Remo Mattei <remo at mattei.org> wrote:
>
> What are you trying to do?
>
> Inviato da iPhone ()
>
>
> Il giorno Dec 11, 2013, alle ore 3:02, "trinath.somanchi at freescale.com" <
> trinath.somanchi at freescale.com> ha scritto:
>
>   Hi-
>
>
>
> I have a Network 12.12.12.0/24 connected to a router (router1)
>
>
>
> I have got the neutron based chains in iptables too..
>
>
>
> Chain INPUT (policy ACCEPT 451K packets, 126M bytes)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>  413K  119M neutron-openvswi-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> 48090   14M nova-compute-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  262K   75M nova-network-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  264K   76M nova-api-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:53
>
>     0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:53
>
>     0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:67
>
>     0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:67
>
>
>
> Chain FORWARD (policy ACCEPT 18 packets, 2855 bytes)
>
> pkts bytes target     prot opt in     out     source
>           destination
>
>    22  4189 neutron-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>    22  4189 neutron-openvswi-FORWARD  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>    18  2855 nova-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 nova-compute-FORWARD  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 nova-network-FORWARD  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 nova-api-FORWARD  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0
> 192.168.122.0/24     ctstate RELATED,ESTABLISHED
>
>     0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24
> 0.0.0.0/0
>
>     0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 REJECT     all  --  *      virbr0  0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
>
>     0     0 REJECT     all  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
>
>
>
> Chain OUTPUT (policy ACCEPT 450K packets, 124M bytes)
>
> pkts bytes target     prot opt in     out     source
>         destination
>
>  413K  116M neutron-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  413K  116M neutron-openvswi-OUTPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  450K  124M nova-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> 49273   14M nova-compute-OUTPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  263K   77M nova-network-OUTPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  265K   77M nova-api-OUTPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain neutron-filter-top (2 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>  413K  116M neutron-openvswi-local  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain neutron-openvswi-FORWARD (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     2   706 neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-out tap761426aa-f9
> --physdev-is-bridged
>
>     2   628 neutron-openvswi-sg-chain  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-in tap761426aa-f9
> --physdev-is-bridged
>
>
>
> Chain neutron-openvswi-INPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 neutron-openvswi-o761426aa-f  all  --  *      *
> 0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
> tap761426aa-f9 --physdev-is-bridged
>
>
>
> Chain neutron-openvswi-OUTPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain neutron-openvswi-i761426aa-f (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state INVALID
>
>     0     0 RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state RELATED,ESTABLISHED
>
>     2   706 RETURN     udp  --  *      *       12.12.12.3
> 0.0.0.0/0            udp spt:67 dpt:68
>
>     0     0 neutron-openvswi-sg-fallback  all  --  *      *
> 0.0.0.0/0            0.0.0.0/0
>
>
>
> Chain neutron-openvswi-local (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain neutron-openvswi-o761426aa-f (2 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     2   628 RETURN     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp spt:68 dpt:67
>
>     0     0 neutron-openvswi-s761426aa-f  all  --  *      *
> 0.0.0.0/0            0.0.0.0/0
>
>     0     0 DROP       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp spt:67 dpt:68
>
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state INVALID
>
>     0     0 RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state RELATED,ESTABLISHED
>
>     0     0 RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 neutron-openvswi-sg-fallback  all  --  *      *
> 0.0.0.0/0            0.0.0.0/0
>
>
>
> Chain neutron-openvswi-s761426aa-f (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 RETURN     all  --  *      *       12.12.12.2
> 0.0.0.0/0            MAC FA:16:3E:35:F9:57
>
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain neutron-openvswi-sg-chain (2 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     2   706 neutron-openvswi-i761426aa-f  all  --  *      *
> 0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out
> tap761426aa-f9 --physdev-is-bridged
>
>     2   628 neutron-openvswi-o761426aa-f  all  --  *      *
> 0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in
> tap761426aa-f9 --physdev-is-bridged
>
>     4  1334 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain neutron-openvswi-sg-fallback (2 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-api-FORWARD (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-api-INPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 10.10.10.100         tcp dpt:8775
>
>
>
> Chain nova-api-OUTPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-api-local (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-compute-FORWARD (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0
> 255.255.255.255      udp spt:68 dpt:67
>
>
>
> Chain nova-compute-INPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     2   628 ACCEPT     udp  --  *      *       0.0.0.0
> 255.255.255.255      udp spt:68 dpt:67
>
>
>
> Chain nova-compute-OUTPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-compute-inst-26 (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state INVALID
>
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state RELATED,ESTABLISHED
>
>     0     0 nova-compute-provider  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     udp  --  *      *       12.12.12.3
> 0.0.0.0/0            udp spt:67 dpt:68
>
>     0     0 nova-compute-sg-fallback  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-compute-local (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 nova-compute-inst-26  all  --  *      *       0.0.0.0/0
> 12.12.12.2
>
>
>
> Chain nova-compute-provider (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-compute-sg-fallback (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-filter-top (2 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
> 49273   14M nova-compute-local  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  263K   77M nova-network-local  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  265K   77M nova-api-local  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-network-FORWARD (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-network-INPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-network-OUTPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-network-local (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> But then there are chain with name “neutron-­l3­-agent”
>
>
>
> Is there anything am I missing ?
>
>
>
> Kindly guide me in this regard.
>
>
>
>
>
>
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* 郭龙仓 [mailto:guolongcang.work at gmail.com<guolongcang.work at gmail.com>]
>
> *Sent:* Wednesday, December 11, 2013 2:16 PM
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> well , maybe you can show me your tenant network topology.
>
>
>
> 2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>
>
> Yes..
>
> I have controller + network + compute node in a single machine.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* 郭龙仓 [mailto:guolongcang.work at gmail.com]
> *Sent:* Wednesday, December 11, 2013 2:08 PM
>
>
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> all-in-one deploy ?  qr-­{xxx} device is created on the network node .
>
>
>
> 2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>
>
> Hi-
>
>
>
> I have the following chains in the iptables.
>
>
>
> root at havana:~# iptables -L -n -v
>
> Chain INPUT (policy ACCEPT 6021 packets, 474K bytes)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>  5921  465K nova-api-INPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:53
>
>     0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:53
>
>     0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:67
>
>     0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:67
>
>
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 nova-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 nova-api-FORWARD  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0
> 192.168.122.0/24     ctstate RELATED,ESTABLISHED
>
>     0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24
> 0.0.0.0/0
>
>     0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0
> 0.0.0.0/0
>
>     0     0 REJECT     all  --  *      virbr0  0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
>
>     0     0 REJECT     all  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-port-unreachable
>
>
>
> Chain OUTPUT (policy ACCEPT 6746 packets, 462K bytes)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>  6614  452K nova-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>  6614  452K nova-api-OUTPUT  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
> Chain nova-api-FORWARD (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-api-INPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 10.10.10.100         tcp dpt:8775
>
>
>
> Chain nova-api-OUTPUT (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-api-local (1 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>
>
> Chain nova-filter-top (2 references)
>
> pkts bytes target     prot opt in     out     source
> destination
>
>  6614  452K nova-api-local  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
>
>
>
> I find none with the names suggested below. Am I missing any of the
> configurations required.
>
>
>
> Kindly help me in this regard.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
> *From:* 郭龙仓 [mailto:guolongcang.work at gmail.com]
> *Sent:* Wednesday, December 11, 2013 1:46 PM
> *To:* Somanchi Trinath-B39208
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [FWaaS] Doubts with FWaaS
>
>
>
> FWaaS is implemented through iptables on qr-­{xxx} device , one inbound
> chain named like neutron-­l3­-agent-­iv{xxx} and one outbound chain named
> like  neutron-­l3­-agent-­ov{xxx}  .
>
>
>
> You can check the qr-­{xxx} device's iptables rules.
>
>
>
> 2013/12/11 trinath.somanchi at freescale.com <trinath.somanchi at freescale.com>
>
> Hi stackers-
>
>
>
> I have configured FWaas with Neutron.
>
>
>
> Also, I have created a simple firewall rule, added the same to a policy
> and created a firewall with this policy from CLI
>
>
>
> The firewall is in ERROR state.
>
>
>
> The rules and the policies were added to the DB.
>
>
>
> How do I debug to find the error. Also, will these rules be added to the
> iptables?
>
>
>
> Help be troubleshoot and understand the same.
>
>
>
> --
>
> Trinath Somanchi - B39208
>
> trinath.somanchi at freescale.com | extn: 4048
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
>
>
> !DSPAM:2,52a84b75265441149516157!
>
>   _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:2,52a84b75265441149516157!
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131212/b1ffaffd/attachment.html>


More information about the Openstack mailing list