Hi, Sridar.
Well, beside your plan, I did some investigation. To iptables driver scenario, seems firewall rules for DVR floating IP will be added into qrouter namespace, not fip namespace. And that will make firewall rules fail to work.
FW rules will build on FORWARD chain, but DNAT rules built on PREROUTING chain will change ingress traffic destination IP address first.
if router_info.dist_fip_count:
# handle the fip case on n/w or compute node. ipt_mgrs.append({'ipt': router_info.iptables_manager, 'if_prefix': ROUTER_2_FIP_DEV_PREFIX})
while I think it should be:
if router_info.dist_fip_count:
# handle the fip case on n/w or compute node. ipt_mgrs.append({'ipt': router_info.fip_ns.iptables_manager, 'if_prefix': FIP_EXT_DEV_PREFIX}) # 'fg-', we need add this constant in this file.
I did test that in my env, works. Steps I did:
1) associate floating IP to VM,
2) create firewall rule(action=allow, protocol=icmp) for floating IP address and other firewall staff.
3) enter fip namespace, can find firewall rule for floating IP.
4) floating IP is pingable, expect result.
5) update firewall rule(action=deny), enter fip namespace, iptable rules updated.
6) floating IP is not pingable, expect result.
But I didn't test cases like:
1) create firewall before floating IP created.
2) after firewall and floating IP created, restart l3-agent.
Hope that can help you.
but I didn't test cases like restart l3-agent
Hi, Sridar.
Well, beside your plan, I did some investigation. To iptables driver scenario, seems firewall rules for DVR floating IP will be added into qrouter namespace, not fip namespace. And that will make firewall rules fail to work.
FW rules will build on FORWARD chain, but DNAT rules built on PREROUTING chain will change ingress traffic destination IP address first.
And relative code I allocated is https:/ /github. com/openstack/ neutron- fwaas/blob/ master/ neutron_ fwaas/services/ firewall/ drivers/ linux/iptables_ fwaas.py# L89-L92 ,
if router_ info.dist_ fip_count:
ipt_ mgrs.append( {'ipt': router_ info.iptables_ manager,
'if_prefix' : ROUTER_ 2_FIP_DEV_ PREFIX} )
# handle the fip case on n/w or compute node.
while I think it should be:
if router_ info.dist_ fip_count:
ipt_ mgrs.append( {'ipt': router_ info.fip_ ns.iptables_ manager,
'if_prefix' : FIP_EXT_ DEV_PREFIX} ) # 'fg-', we need add this constant in this file.
# handle the fip case on n/w or compute node.
I did test that in my env, works. Steps I did:
1) associate floating IP to VM,
2) create firewall rule(action=allow, protocol=icmp) for floating IP address and other firewall staff.
3) enter fip namespace, can find firewall rule for floating IP.
4) floating IP is pingable, expect result.
5) update firewall rule(action=deny), enter fip namespace, iptable rules updated.
6) floating IP is not pingable, expect result.
But I didn't test cases like:
1) create firewall before floating IP created.
2) after firewall and floating IP created, restart l3-agent.
Hope that can help you.
but I didn't test cases like restart l3-agent