Shulou(Shulou.com)05/31 Report--

Editor to share with you how the openstack mitaka version of fwaas v1 is, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

The first configuration reference is https://docs.openstack.org/ocata/networking-guide/fwaas-v1-scenario.html.

The principle is not introduced here, there are a lot of reference materials on the Internet. To sum up, openstack's fwaas is based on router namespace's iptables. After configuring, restarting the service, and adding FireWall rules, if no new iptables rules appear, it will cause the configuration FireWall rules to fail to take effect. I encountered this problem in the actual testing process. After studying the code, it is found that the core of the problem lies in this code:

/ usr/lib/python2.7/site-packages/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py

After studying it, this code always feels very strange. Generally speaking, route in ovs version is configured with DVR type, so according to the logic of this code, namespace; like snat-0411a7ef-7aa8-4584-ad40-6d1e7be9a309 will appear on controller node only if route is configured with an external gateway. Only when the virtual machine is bound with floating ip will namespace like fip-fd5962ff-2177-402e-bec6-6a307e890868 appear on compute node. That is, in this distributed routing scenario, FireWall can only control north-south traffic, not east-west traffic (because router_info.iptables_manager is not used).

So if you want to control east-west traffic, you can only remove the line of "if not router_info.router.get ('distributed'):" so that the rules of FireWall will be sent to the namespace of qrouter-xxxxxx on each node.

The above is all the content of this article "what is the openstack mitaka version of fwaas v1?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.