On Mon, Nov 02, 2015 at 02:39:49AM EST, Oğuz Yarımtepe wrote: > All i need is to create a firewall but instead of > using Iptables, i want to use the hardware firewall and be able to define > filtering rules.
In the current experimental API, Firewalls are global in scope and cover an entire tenant. There *is* an API extension (router insertion) that can associate a firewall with a specific tenant Neutron router, however not every vendor supports it. You mentioned that your firewall appliance does not route, it just filters. Depending on how you are routing, and if you are going to support the router insertion API extension, it could be that your firewall appliance may not be able to filter all traffic. Unless that is, you put the firewall appliance in, as a bump in the wire. Really this all boils down to the point where the Firewall as a Service API does not have good semantics for where a firewall is inserted, in all cases. Even with the router insertion API extension, there are cases where it doesn't cover - like DVR[1]. Currently the FwaaS community is attempting to fix this, by just having the API express *what* ports a tenant wishes to associate with a firewall policy, and let the implementation figure out how best to plumb it, and where to insert filtering rules. This means that the API will change semantics significantly, and just inserting a hardware device at the edge would not cover all that the newer Firewall API will be able to express. [1]: https://etherpad.openstack.org/p/FWaaS_with_DVR -- Sean M. Collins __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
