Hi Zhi: With the L3 implementation, FWaaS acts on traffic that is seen by the router (we have some issues with DVR) so it is really constrained to N - S. SG will of course see all traffic. Once we have the FWaaS L2 implementation - it opens up the possibilities to be applied on a VM port and hence can see all traffic.
Thanks Sridar From: zhi <changzhi1...@gmail.com<mailto:changzhi1...@gmail.com>> Reply-To: OpenStack List <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Monday, December 19, 2016 at 10:43 PM To: OpenStack List <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [neutron] Where will Neutron go in future? Hi, Srider. Thanks for your reply. I still have a question about SG and FWaaS. VM's east-west traffic belongs to FWaaS or SG? What about VM's north-south traffic? I think that VM's east-west traffic belongs to SG and the north-south traffic belongs to FWaaS, isn't it? :) Thanks Zhi Chang 2016-12-20 1:45 GMT+08:00 Sridar Kandaswamy (skandasw) <skand...@cisco.com<mailto:skand...@cisco.com>>: Hi Zhi: FWaaS has been seen more as an edge (on L3 ports) use case as opposed to SG which is on a VM port. Also, as u can see there are differences in the attributes on the Rule specification at the most basic level. At this point, we are working thru the implementation of FWaaS on L2 ports so that makes ur question more relevant. At least one school of thought that we have been working with is that the FWaaS API can be more open and continue to evolve to support for instance L4-L7 use cases amongst others, but the SG API will continue to stay a simpler model (some have also pointed the need for SG to be aligned with AWS). This is still in evolution and we would welcome participation, if u can - pls do drop in to our weekly team meeting [1] and we can discuss further. Thanks Sridar [1] http://eavesdrop.openstack.org/#Firewall_as_a_Service_(FWaaS)_Team_Meeting From: zhi <changzhi1...@gmail.com<mailto:changzhi1...@gmail.com>> Reply-To: OpenStack List <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Sunday, December 18, 2016 at 7:36 PM To: OpenStack List <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [neutron] Where will Neutron go in future? Hi, Nate, thanks for your reply. May I ask a little stupid question? What's the difference between fwaas and security group? In my opinion, fwaas and security group are both using linux iptables now. So, what's the differences between them? Thanks Zhi Chang __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
