Hi Sridar, Yes I know this is only for phase 1, while I'm also thinking about how it should be in next phase. At least, zone concept should be introduced, we may use it to replace SG, to eliminate potential conflicts of defining ACL in two different places.
________________________________ From: Sridar Kandaswamy (skandasw) [skand...@cisco.com] Sent: Thursday, August 14, 2014 10:12 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Neutron] Simple proposal for stabilizing new features in-tree Hi Wuhongning: Yes u are correct – this is phase 1 to at least get basic perimeter firewall support working with DVR before looking for an optimal way to address E – W traffic. Thanks Sridar From: Wuhongning <wuhongn...@huawei.com<mailto:wuhongn...@huawei.com>> Reply-To: OpenStack List <firstname.lastname@example.org<mailto:email@example.com>> Date: Thursday, August 14, 2014 at 1:05 AM To: OpenStack List <firstname.lastname@example.org<mailto:email@example.com>> Subject: Re: [openstack-dev] [Neutron] Simple proposal for stabilizing new features in-tree FWaas can't seamlessly work with DVR yet. A BP  has been submitted, but it can only handle NS traffic, leaving W-E untouched. If we implement the WE firewall in DVR, the iptable might be applied at a per port basis, so there are some overlapping with SG (Can we image a packet run into iptable hook twice between VM and the wire, for both ingress and egress directions?). Maybe the overall service plugins (including service extension in ML2) needs some cleaning up, It seems that Neutron is just built from separate single blocks.  http://git.openstack.org/cgit/openstack/neutron-specs/tree/specs/juno/neutron-dvr-fwaas.rst
_______________________________________________ OpenStack-dev mailing list OpenStackfirstname.lastname@example.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev