Comment 4 for bug 1492142

Hi, Sridar.
Well, beside your plan, I did some investigation. To iptables driver scenario, seems firewall rules for DVR floating IP will be added into qrouter namespace, not fip namespace. And that will make firewall rules fail to work.

FW rules will build on FORWARD chain, but DNAT rules built on PREROUTING chain will change ingress traffic destination IP address first.

And relative code I allocated is https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py#L89-L92 ,

        if router_info.dist_fip_count:
            # handle the fip case on n/w or compute node.
            ipt_mgrs.append({'ipt': router_info.iptables_manager,
                             'if_prefix': ROUTER_2_FIP_DEV_PREFIX})

while I think it should be:

        if router_info.dist_fip_count:
            # handle the fip case on n/w or compute node.
            ipt_mgrs.append({'ipt': router_info.fip_ns.iptables_manager,
                             'if_prefix': FIP_EXT_DEV_PREFIX}) # 'fg-', we need add this constant in this file.

I did test that in my env, works. Steps I did:
1) associate floating IP to VM,
2) create firewall rule(action=allow, protocol=icmp) for floating IP address and other firewall staff.
3) enter fip namespace, can find firewall rule for floating IP.
4) floating IP is pingable, expect result.
5) update firewall rule(action=deny), enter fip namespace, iptable rules updated.
6) floating IP is not pingable, expect result.

But I didn't test cases like:
1) create firewall before floating IP created.
2) after firewall and floating IP created, restart l3-agent.

Hope that can help you.
but I didn't test cases like restart l3-agent