Open Stack

Old (and undesirable) behavior was to apply the ‘firewall’ with all tenant routers.

Using --router allows you to apply the ‘firewall’ with one or more specified routers.

IIRC, there’s nothing special needed to utilize this other than to have the FWaaS driver and extension enabled.

James

> On Jan 12, 2016, at 11:57 AM, Mike Spreitzer <mspreitz at us.ibm.com> wrote:
> 
> > From: Matt Kassawara <mkassawara at gmail.com>
> > To: Mike Spreitzer/Watson/IBM at IBMUS
> > Cc: "openstack at lists.openstack.org" <openstack at lists.openstack.org>
> > Date: 01/12/2016 12:16 PM
> > Subject: Re: [Openstack] [neutron] User documentation for Neutron's
> > Firewall-as-a-Service (FWaaS)?
> >
> > Not really... :/
> >
> > On Tue, Jan 12, 2016 at 9:43 AM, Mike Spreitzer <mspreitz at us.ibm.com> wrote:
> > Is there any user documentation for FWaaS besides http://
> > docs.openstack.org/admin-guide-cloud/
> > networking_introduction.html#firewall-as-a-service-fwaas-overview
> > ?  That one is a bit skimpy and, I suspect, a little outdated. For
> > example, `neutron help firewall-create` mentions an option, `--
> > router`, that is not mentioned in that doc section and not well
> > explained in the on-line help.
> 
> So can someone please explain the `--router` option to `neutron firewall-create` in more detail?  Here is what I get from `neutron help firewall-create`:
> 
> usage: neutron firewall-create [-h] [-f {json,shell,table,value,yaml}]
>                                [-c COLUMN] [--max-width <integer>]
>                                [--noindent] [--prefix PREFIX]
>                                [--request-format {json,xml}]
>                                [--tenant-id TENANT_ID] [--name NAME]
>                                [--description DESCRIPTION]
>                                [--admin-state-down] [--router ROUTER]
>                                POLICY
> 
> ...
> optional arguments:
> ...
>   --router ROUTER       Firewall associated router names or IDs (requires
>                         FWaaS router insertion extension, this option can be
>                         repeated)
> ...
> 
> Is there someplace I can learn more about this "FWaaS router insertion extension"?  When I use DevStack, does it install this extension?  How do I controls its installation when using DevStack?  How do I install it when not using DevStack?  How, in general, can I tell whether it is installed/enabled?  What happens if I do not supply a `--router` argument to this command?  Does the answer to that depend on whether the FWaaS router insertion extension is installed/enabled?
> 
> Thanks,
> Mike
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160112/361985ae/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160112/361985ae/attachment.sig>