[Openstack] the definistion of X-aaS in neutron

Liu Wenmao marvelliu at gmail.com
Wed Nov 27 04:32:41 UTC 2013 

hi Lori:

so far as I know, FWaaS driver is currently using linux iptables in the
L3agent namespace, so the FWaaS only affects traffic to or from the subnet
gateway, if two tenants share the same router, I think the inter-tenant
traffic will be monitored by FWaaS iptables drivers.


Chain neutron-l3-agent-FORWARD (1 references)
    pkts      bytes target     prot opt in     out     source
destination
     108     5856 neutron-l3-agent-iv46e4852c5  all  --  *      qr-+
0.0.0.0/0            0.0.0.0/0
     293    17028 neutron-l3-agent-ov46e4852c5  all  --  qr-+   *
0.0.0.0/0            0.0.0.0/0
       0        0 neutron-l3-agent-fwaas-defau  all  --  *      qr-+
0.0.0.0/0            0.0.0.0/0
       0        0 neutron-l3-agent-fwaas-defau  all  --  qr-+   *
0.0.0.0/0            0.0.0.0/0

Liu Wenmao


On Wed, Nov 27, 2013 at 9:56 AM, Lorin Hochstein
<lorin at nimbisservices.com>wrote:

> Hi Salvatore:
>
>
> On Mon, Nov 25, 2013 at 2:02 PM, Salvatore Orlando <sorlando at nicira.com>wrote:
>
>> Hi Lorin,
>> I think yours is a very good question; I am afraid I am not able to
>> provide a straight answer regarding in which cases one service should be
>> preferred to the other.
>>
>> Technically the difference would be that a firewall rule is enforced only
>> at the edge of your network, and is therefore not enforced for intra-tenant
>> and inter-tenant traffic, whereas a security group rule is enforced on
>> every port where the security group applies.
>>
>>
> As an example, one could use a security group to allow traffic on ports 80
>> and 443 on all instances regardless of the source security group, and a
>> firewall rule to block access to port 80 from external sources. The result
>> would be that HTTP would be open for 'internal' traffic whereas only HTTPS
>> would be available for externally-generated traffic.
>>
>
> Can you confirm that the FWaaS rules won't apply to inter-tenant traffic?
> In a public cloud situation I would  think an end-user would expect tenant
> isolation: traffic from other tenants to be treated the same way as
> external traffic.
>
> Lorin
>
> --
> Lorin Hochstein
> Lead Architect - Cloud Services
> Nimbis Services, Inc.
> www.nimbisservices.com
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131127/88adfb87/attachment.html>

More information about the Openstack mailing list