Hi Sridar,

Yes I know this is only for phase 1, while I'm also thinking about how it 
should be in next phase. At least, zone concept should be introduced, we may 
use it to replace SG, to eliminate potential conflicts of defining ACL in two 
different places.

________________________________
From: Sridar Kandaswamy (skandasw) [skand...@cisco.com]
Sent: Thursday, August 14, 2014 10:12 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron] Simple proposal for stabilizing new 
features in-tree

Hi Wuhongning:

Yes u are correct – this is phase 1 to at least get basic perimeter firewall 
support working with DVR before looking for an optimal way to address E – W 
traffic.

Thanks

Sridar

From: Wuhongning <wuhongn...@huawei.com<mailto:wuhongn...@huawei.com>>
Reply-To: OpenStack List 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Date: Thursday, August 14, 2014 at 1:05 AM
To: OpenStack List 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Subject: Re: [openstack-dev] [Neutron] Simple proposal for stabilizing new 
features in-tree

FWaas can't seamlessly work with DVR yet. A BP [1] has been submitted, but it 
can only handle NS traffic, leaving W-E untouched. If we implement the WE 
firewall in DVR, the iptable might be applied at a per port basis, so there are 
some overlapping with SG (Can we image a packet run into iptable hook twice 
between VM and the wire, for both ingress and egress directions?).

Maybe the overall service plugins (including service extension in ML2) needs 
some cleaning up, It seems that Neutron is just built from separate single 
blocks.

[1]  
http://git.openstack.org/cgit/openstack/neutron-specs/tree/specs/juno/neutron-dvr-fwaas.rst

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to