Book Image


By : James Denton
Book Image


By: James Denton

Overview of this book

Table of Contents (17 chapters)
Learning OpenStack Networking (Neutron)
About the Author
About the Reviewers

Firewall rules – behind the scenes

To demonstrate how firewall policies are applied to a Neutron router, check out the following firewall rule that allows HTTP traffic from any remote host to any instance on TCP port 80:

Using the Neutron firewall-policy-create command, I have created a policy that contains the preceding rule:

Using the Neutron firewall-create command, I have created a firewall using the policy MyFirewallPolicy:

The firewall status will remain in PENDING_CREATE until the rules have been applied to the Neutron routers within the tenant, at which time the status will turn to ACTIVE:

Stepping through the chains within the firewall

As a result of creating the firewall, the rules within the firewall policy have been implemented on all routers within the tenant. This is not a desired behavior; rather, it is a limitation of FWaaS.

Running iptables-save within a router namespace reveals the iptables rules in place. For readability, only the filter table is shown in the following screenshot...