Re: [Openstack] [FWaaS] Doubts with FWaaS

[trinath.soman...@freescale.com]

Yes..
I have controller + network + compute node in a single machine.

--
Trinath Somanchi - B39208
trinath.soman...@freescale.com | extn: 4048

From: 郭龙仓 [mailto:guolongcang.w...@gmail.com]
Sent: Wednesday, December 11, 2013 2:08 PM
To: Somanchi Trinath-B39208
Cc: openstack@lists.openstack.org
Subject: Re: [Openstack] [FWaaS] Doubts with FWaaS

all-in-one deploy ?  qr-{xxx} device is created on the network node .

2013/12/11 
trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com> 
<trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com>>
Hi-

I have the following chains in the iptables.

root@havana:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 6021 packets, 474K bytes)
pkts bytes target     prot opt in     out     source               destination
 5921  465K nova-api-INPUT  all  --  *      *       0.0.0.0/0<http://0.0.0.0/0> 
           0.0.0.0/0<http://0.0.0.0/0>
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0<http://0.0.0.0/0>      
      0.0.0.0/0<http://0.0.0.0/0>            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0<http://0.0.0.0/0>      
      0.0.0.0/0<http://0.0.0.0/0>            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0<http://0.0.0.0/0>      
      0.0.0.0/0<http://0.0.0.0/0>            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0<http://0.0.0.0/0>      
      0.0.0.0/0<http://0.0.0.0/0>            tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 nova-filter-top  all  --  *      *       
0.0.0.0/0<http://0.0.0.0/0>            0.0.0.0/0<http://0.0.0.0/0>
    0     0 nova-api-FORWARD  all  --  *      *       
0.0.0.0/0<http://0.0.0.0/0>            0.0.0.0/0<http://0.0.0.0/0>
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0<http://0.0.0.0/0>      
      192.168.122.0/24<http://192.168.122.0/24>     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       
192.168.122.0/24<http://192.168.122.0/24>     0.0.0.0/0<http://0.0.0.0/0>
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0<http://0.0.0.0/0>      
      0.0.0.0/0<http://0.0.0.0/0>
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0<http://0.0.0.0/0>      
      0.0.0.0/0<http://0.0.0.0/0>            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0<http://0.0.0.0/0>      
      0.0.0.0/0<http://0.0.0.0/0>            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 6746 packets, 462K bytes)
pkts bytes target     prot opt in     out     source               destination
 6614  452K nova-filter-top  all  --  *      *       
0.0.0.0/0<http://0.0.0.0/0>            0.0.0.0/0<http://0.0.0.0/0>
 6614  452K nova-api-OUTPUT  all  --  *      *       
0.0.0.0/0<http://0.0.0.0/0>            0.0.0.0/0<http://0.0.0.0/0>

Chain nova-api-FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain nova-api-INPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0<http://0.0.0.0/0>      
      10.10.10.100         tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain nova-api-local (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain nova-filter-top (2 references)
pkts bytes target     prot opt in     out     source               destination
 6614  452K nova-api-local  all  --  *      *       0.0.0.0/0<http://0.0.0.0/0> 
           0.0.0.0/0<http://0.0.0.0/0>


I find none with the names suggested below. Am I missing any of the 
configurations required.

Kindly help me in this regard.

--
Trinath Somanchi - B39208
trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com> | extn: 
4048

From: 郭龙仓 [mailto:guolongcang.w...@gmail.com<mailto:guolongcang.w...@gmail.com>]
Sent: Wednesday, December 11, 2013 1:46 PM
To: Somanchi Trinath-B39208
Cc: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Subject: Re: [Openstack] [FWaaS] Doubts with FWaaS

FWaaS is implemented through iptables on qr-{xxx} device , one inbound chain 
named like neutron-l3-agent-iv{xxx} and one outbound chain named like  
neutron-l3-agent-ov{xxx}  .

You can check the qr-{xxx} device's iptables rules.

2013/12/11 
trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com> 
<trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com>>
Hi stackers-

I have configured FWaas with Neutron.

Also, I have created a simple firewall rule, added the same to a policy and 
created a firewall with this policy from CLI

The firewall is in ERROR state.

The rules and the policies were added to the DB.

How do I debug to find the error. Also, will these rules be added to the 
iptables?

Help be troubleshoot and understand the same.

--
Trinath Somanchi - B39208
trinath.soman...@freescale.com<mailto:trinath.soman...@freescale.com> | extn: 
4048


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : 
openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack