Jump to: navigation, search

Difference between revisions of "Neutron/FWaaS/FWaaS-DVR"

< Neutron‎ | FWaaS
 
(5 intermediate revisions by the same user not shown)
Line 58: Line 58:
  
 
====Manual testing logs:====
 
====Manual testing logs:====
 +
1. Legacy Firewall: Create FW, check qrouter namespace, Datapath test.
 +
=====Check baseline namespace no rules=====
 +
<pre><nowiki>
 +
[stack@skandasw-2:/home/stack/devstack] master 1 ± sudo ip netns exec qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d iptables -n -L -v
 +
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-FORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-OUTPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-filter-top (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-local  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-FORWARD (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-INPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            127.0.0.1            tcp dpt:9697
 +
 +
Chain neutron-l3-agent-OUTPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-local (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
[stack@skandasw-2:/home/stack/devstack] master ±
 +
</nowiki></pre>
 +
=====Create Firewall=====
 +
 +
<pre><nowiki>
 +
[stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-create test-policy
 +
Created a new firewall:
 +
+--------------------+--------------------------------------+
 +
| Field              | Value                                |
 +
+--------------------+--------------------------------------+
 +
| admin_state_up    | True                                |
 +
| description        |                                      |
 +
| firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 |
 +
| id                | 2b9d2753-b8df-4134-8908-3bd019b5e6dd |
 +
| name              |                                      |
 +
| status            | PENDING_CREATE                      |
 +
| tenant_id          | 1f14a09f0d034745b1b455264b7593c9    |
 +
+--------------------+--------------------------------------+
 +
[stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-show 2b9d2753-b8df-4134-8908-3bd019b5e6dd
 +
+--------------------+--------------------------------------+
 +
| Field              | Value                                |
 +
+--------------------+--------------------------------------+
 +
| admin_state_up    | True                                |
 +
| description        |                                      |
 +
| firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 |
 +
| id                | 2b9d2753-b8df-4134-8908-3bd019b5e6dd |
 +
| name              |                                      |
 +
| status            | ACTIVE                              |
 +
| tenant_id          | 1f14a09f0d034745b1b455264b7593c9    |
 +
+--------------------+--------------------------------------+
 +
[stack@skandasw-2:/home/stack/devstack] master ±
 +
</nowiki></pre>
 +
 +
=====Recheck namespace, Rules seen=====
 +
<pre><nowiki>
 +
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d iptables -n -L -v
 +
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-FORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-OUTPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-filter-top (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-local  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-FORWARD (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-iv42b9d2753  all  --  *      qr-+    0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-ov42b9d2753  all  --  qr-+  *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-fwaas-defau  all  --  *      qr-+    0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-fwaas-defau  all  --  qr-+  *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-INPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            127.0.0.1            tcp dpt:9697
 +
 +
Chain neutron-l3-agent-OUTPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-fwaas-defau (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-iv42b9d2753 (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0            state INVALID
 +
    0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
 +
 +
Chain neutron-l3-agent-local (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-ov42b9d2753 (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0            state INVALID
 +
    0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
 +
[stack@skandasw-2:/home/stack/devstack] master ±
 +
 +
</nowiki></pre>
 +
 +
2. Legacy Firewall: Add a router with FW present - make sure that new qrouter namespace is populated.
 +
<pre><nowiki>
 +
[stack@skandasw-2:/home/stack/devstack] master ± neutron router-create router2
 +
Created a new router:
 +
+-----------------------+--------------------------------------+
 +
| Field                | Value                                |
 +
+-----------------------+--------------------------------------+
 +
| admin_state_up        | True                                |
 +
| external_gateway_info |                                      |
 +
| id                    | e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c |
 +
| name                  | router2                              |
 +
| routes                |                                      |
 +
| status                | ACTIVE                              |
 +
| tenant_id            | 1f14a09f0d034745b1b455264b7593c9    |
 +
+-----------------------+--------------------------------------+
 +
[stack@skandasw-2:/home/stack/devstack] master ± neutron net-list
 +
+--------------------------------------+---------+--------------------------------------------------+
 +
| id                                  | name    | subnets                                          |
 +
+--------------------------------------+---------+--------------------------------------------------+
 +
| 3ade806e-bee9-4b9d-bb35-ec8b3ed50e0f | private | 917a20e9-60e6-4faf-9bcd-8f6ba9d40ba3 10.0.0.0/24 |
 +
| b9b27d1e-924b-4386-bbb5-841bb043eae4 | public  | c57aa790-0383-474d-b4ef-8d57217bcc6c            |
 +
+--------------------------------------+---------+--------------------------------------------------+
 +
 +
 +
[stack@skandasw-2:/home/stack/devstack] master 2 ± neutron net-create private2
 +
Created a new network:
 +
+-----------------+--------------------------------------+
 +
| Field          | Value                                |
 +
+-----------------+--------------------------------------+
 +
| admin_state_up  | True                                |
 +
| id              | a62ddb50-c195-4601-b8de-1f9a9f60c5b9 |
 +
| name            | private2                            |
 +
| router:external | False                                |
 +
| shared          | False                                |
 +
| status          | ACTIVE                              |
 +
| subnets        |                                      |
 +
| tenant_id      | 1f14a09f0d034745b1b455264b7593c9    |
 +
+-----------------+--------------------------------------+
 +
 +
[stack@skandasw-2:/home/stack/devstack] master ± neutron subnet-create private2 11.0.0.0/24
 +
Created a new subnet:
 +
+-------------------+--------------------------------------------+
 +
| Field            | Value                                      |
 +
+-------------------+--------------------------------------------+
 +
| allocation_pools  | {"start": "11.0.0.2", "end": "11.0.0.254"} |
 +
| cidr              | 11.0.0.0/24                                |
 +
| dns_nameservers  |                                            |
 +
| enable_dhcp      | True                                      |
 +
| gateway_ip        | 11.0.0.1                                  |
 +
| host_routes      |                                            |
 +
| id                | c6751a78-a950-41bf-a3dd-ac377f8015e2      |
 +
| ip_version        | 4                                          |
 +
| ipv6_address_mode |                                            |
 +
| ipv6_ra_mode      |                                            |
 +
| name              |                                            |
 +
| network_id        | a62ddb50-c195-4601-b8de-1f9a9f60c5b9      |
 +
| tenant_id        | 1f14a09f0d034745b1b455264b7593c9          |
 +
+-------------------+--------------------------------------------+
 +
=====new namespace for router seen=====
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns
 +
qrouter-e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c
 +
qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d
 +
 +
 +
[stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-show 2b9d2753-b8df-4134-8908-3bd019b5e6dd
 +
+--------------------+--------------------------------------+
 +
| Field              | Value                                |
 +
+--------------------+--------------------------------------+
 +
| admin_state_up    | True                                |
 +
| description        |                                      |
 +
| firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 |
 +
| id                | 2b9d2753-b8df-4134-8908-3bd019b5e6dd |
 +
| name              |                                      |
 +
| status            | ACTIVE                              |
 +
| tenant_id          | 1f14a09f0d034745b1b455264b7593c9    |
 +
+--------------------+--------------------------------------+
 +
=====Check for rules=====
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c iptables -n -L -v
 +
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-FORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-OUTPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-filter-top (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-local  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-FORWARD (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-iv42b9d2753  all  --  *      qr-+    0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-ov42b9d2753  all  --  qr-+  *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-fwaas-defau  all  --  *      qr-+    0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-fwaas-defau  all  --  qr-+  *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-INPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            127.0.0.1            tcp dpt:9697
 +
 +
Chain neutron-l3-agent-OUTPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-fwaas-defau (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-iv42b9d2753 (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0            state INVALID
 +
    0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
 +
 +
Chain neutron-l3-agent-local (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-ov42b9d2753 (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0            state INVALID
 +
    0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
 +
[stack@skandasw-2:/home/stack/devstack] master ±
 +
</nowiki></pre>
 +
 +
3. DVR Single Node - Create VM, Check namespaces, Ping br-ex
 +
=====Created a VM from horizon and verified that pings to br-ex succeed.=====
 +
<pre><nowiki>
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns
 +
snat-e4d280aa-73c7-4615-abea-bf847fb215b6
 +
qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6
 +
[stack@skandasw-2:/home/stack/devstack] master ±
 +
 +
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec snat-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
 +
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-FORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-OUTPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-filter-top (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-local  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-FORWARD (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-INPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-OUTPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-local (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
 +
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-FORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-OUTPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-filter-top (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-local  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-FORWARD (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-INPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            127.0.0.1            tcp dpt:9697
 +
 +
Chain neutron-l3-agent-OUTPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-local (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
[stack@skandasw-2:/home/stack/devstack] master ±
 +
</nowiki></pre>
 +
4.  DVR Single Node - Associate Floating IP, check namespaces, ping br-ex
 +
=====Add Floating IP to VM=====
 +
<pre><nowiki>
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns
 +
fip-22fa2b34-351e-490c-a8d4-929af8bfed78
 +
qdhcp-2113d721-bf77-441c-b486-6f63357fadf3
 +
snat-e4d280aa-73c7-4615-abea-bf847fb215b6
 +
qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6
 +
</nowiki></pre>
 +
 +
5. DVR Single Node - create FW, check for rules in namespaces, ping br-ex for data path
 +
<pre><nowiki>
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
 +
Chain INPUT (policy ACCEPT 3 packets, 714 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    3  714 neutron-l3-agent-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain FORWARD (policy ACCEPT 37 packets, 3108 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
  108  9072 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
  108  9072 neutron-l3-agent-FORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain OUTPUT (policy ACCEPT 1 packets, 84 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    1    84 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    1    84 neutron-l3-agent-OUTPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-filter-top (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
  109  9156 neutron-l3-agent-local  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-FORWARD (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
  37  3108 neutron-l3-agent-iv4a0f5d9dd  all  --  *      rfp-+  0.0.0.0/0            0.0.0.0/0         
 +
  34  2856 neutron-l3-agent-ov4a0f5d9dd  all  --  rfp-+  *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-fwaas-defau  all  --  *      rfp-+  0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-fwaas-defau  all  --  rfp-+  *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-INPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            127.0.0.1            tcp dpt:9697
 +
 +
Chain neutron-l3-agent-OUTPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-fwaas-defau (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-iv4a0f5d9dd (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0            state INVALID
 +
  33  2772 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    3  252 DROP      icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
 +
 +
Chain neutron-l3-agent-local (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-ov4a0f5d9dd (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0            state INVALID
 +
  33  2772 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    0    0 DROP      icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
 +
 +
 +
 +
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec snat-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
 +
Chain INPUT (policy ACCEPT 2 packets, 630 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    2  630 neutron-l3-agent-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain FORWARD (policy ACCEPT 6 packets, 504 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    6  504 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    6  504 neutron-l3-agent-FORWARD  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-filter-top  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-OUTPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-filter-top (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    6  504 neutron-l3-agent-local  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-FORWARD (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 neutron-l3-agent-iv4a0f5d9dd  all  --  *      sg-+    0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-ov4a0f5d9dd  all  --  sg-+  *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-fwaas-defau  all  --  *      sg-+    0.0.0.0/0            0.0.0.0/0         
 +
    0    0 neutron-l3-agent-fwaas-defau  all  --  sg-+  *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-INPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-OUTPUT (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-fwaas-defau (2 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
 +
Chain neutron-l3-agent-iv4a0f5d9dd (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0            state INVALID
 +
    0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    0    0 DROP      icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
 +
 +
Chain neutron-l3-agent-local (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain neutron-l3-agent-ov4a0f5d9dd (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0            state INVALID
 +
    0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    0    0 DROP      icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
 +
[stack@skandasw-2:/home/stack/devstack] master ±
 +
</nowiki></pre>
 +
6.  DVR Single Node - with  FW, create a router, set gw, check namespace
 +
 +
7. DVR Single Node - with FW, add router interface to (6) check namespace

Latest revision as of 13:49, 10 September 2014

FWaaS DVR

With DVR we can have flows being asymmetric with respect to a router. FWaaS implemented as iptables relies on seeing both sides of a flow for stateful inspection. DVR introduces some additional network namespaces to deal with different aspects of a traffic flow. The initial target being attempted is to ensure that FWaaS can be applied on North - South (N - S) traffic flows correctly. This will get us perimeter firewall support.

The changes ensure that FWaaS rules are applied on the correct network Namespace on the Network node as well as on the Compute node. FWaaS support for East - West traffic is not being addressed at this time.

FWaaS DVR Blueprint

FWaaS DVR Spec

FWaaS DVR Patch

FWaaS DVR Migration

centralized to distributed there will be a check inside plugin to throw an exception if a firewall has been configured this requires helper to know if there is a firewall configured

Mix of centralized and distributed routers and migrating to a different types, although this might work the behavior is not yet known and our initial target is tackle the limited transitions from centralized to distributed

distributed to centralized there needs to a check inside plugin to throw an exception if a firewall has been configured this requires helper to know if there is a firewall configured, although this case is not the likely one to be addressed.

FWaaS DVR Setup

single node setup requires following changes to localrc

Q_PLUGIN=ml2

Q_ML2_TENANT_NETWORK_TYPE=vxlan

Q_DVR_MODE=dvr_snat

sample name space created:

qdhcp-de6d0488-b95f-48b6-93e9-5ab7c0c96e1d

qdhcp-13465298-a563-4c1c-88f6-4c1abc26dbac

snat-0391ee86-08ea-4186-ac00-6f550554e4e7

qrouter-0391ee86-08ea-4186-ac00-6f550554e4e7

Testing

Manual testing testcases

  1. Legacy Firewall: Create FW, check qrouter namespace, Datapath test.
  2. Legacy Firewall: Add a router with FW present - make sure that new qrouter namespace is populated.
  3. DVR Single Node - Create VM, Check namespaces, Ping br-ex
  4. DVR Single Node - Associate Floating IP, check namespaces, ping br-ex
  5. DVR Single Node - create FW, check for rules in namespaces, ping br-ex for data path
  6. DVR Single Node - with FW, create a router, set gw, check namespace
  7. DVR Single Node - with FW, add router interface to (6) check namespace
  8. DVR Multi Node - on Compute Node - Create VM, Check namespaces, Ping br-ex
  9. DVR Multi Node - on Compute Node After (8), add FW, check ping to br-ex
  10. DVR Multi Node - on Compute Node Associate Floating IP, check namespaces
  11. DVR Multi Node - on Compute Node Create another subnet with a VM - ping other VM (E - W scenario)

Manual testing logs:

1. Legacy Firewall: Create FW, check qrouter namespace, Datapath test.

Check baseline namespace no rules
[stack@skandasw-2:/home/stack/devstack] master 1 ± sudo ip netns exec qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
[stack@skandasw-2:/home/stack/devstack] master ±
Create Firewall
[stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-create test-policy
Created a new firewall:
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 |
| id                 | 2b9d2753-b8df-4134-8908-3bd019b5e6dd |
| name               |                                      |
| status             | PENDING_CREATE                       |
| tenant_id          | 1f14a09f0d034745b1b455264b7593c9     |
+--------------------+--------------------------------------+
[stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-show 2b9d2753-b8df-4134-8908-3bd019b5e6dd
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 |
| id                 | 2b9d2753-b8df-4134-8908-3bd019b5e6dd |
| name               |                                      |
| status             | ACTIVE                               |
| tenant_id          | 1f14a09f0d034745b1b455264b7593c9     |
+--------------------+--------------------------------------+
[stack@skandasw-2:/home/stack/devstack] master ±
Recheck namespace, Rules seen

[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-iv42b9d2753  all  --  *      qr-+    0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-ov42b9d2753  all  --  qr-+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  *      qr-+    0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  qr-+   *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-fwaas-defau (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-iv42b9d2753 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3879

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-ov42b9d2753 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
[stack@skandasw-2:/home/stack/devstack] master ±

2. Legacy Firewall: Add a router with FW present - make sure that new qrouter namespace is populated. 

[stack@skandasw-2:/home/stack/devstack] master ± neutron router-create router2
Created a new router:
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| admin_state_up        | True                                 |
| external_gateway_info |                                      |
| id                    | e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c |
| name                  | router2                              |
| routes                |                                      |
| status                | ACTIVE                               |
| tenant_id             | 1f14a09f0d034745b1b455264b7593c9     |
+-----------------------+--------------------------------------+
[stack@skandasw-2:/home/stack/devstack] master ± neutron net-list
+--------------------------------------+---------+--------------------------------------------------+
| id                                   | name    | subnets                                          |
+--------------------------------------+---------+--------------------------------------------------+
| 3ade806e-bee9-4b9d-bb35-ec8b3ed50e0f | private | 917a20e9-60e6-4faf-9bcd-8f6ba9d40ba3 10.0.0.0/24 |
| b9b27d1e-924b-4386-bbb5-841bb043eae4 | public  | c57aa790-0383-474d-b4ef-8d57217bcc6c             |
+--------------------------------------+---------+--------------------------------------------------+


[stack@skandasw-2:/home/stack/devstack] master 2 ± neutron net-create private2
Created a new network:
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| admin_state_up  | True                                 |
| id              | a62ddb50-c195-4601-b8de-1f9a9f60c5b9 |
| name            | private2                             |
| router:external | False                                |
| shared          | False                                |
| status          | ACTIVE                               |
| subnets         |                                      |
| tenant_id       | 1f14a09f0d034745b1b455264b7593c9     |
+-----------------+--------------------------------------+

[stack@skandasw-2:/home/stack/devstack] master ± neutron subnet-create private2 11.0.0.0/24
Created a new subnet:
+-------------------+--------------------------------------------+
| Field             | Value                                      |
+-------------------+--------------------------------------------+
| allocation_pools  | {"start": "11.0.0.2", "end": "11.0.0.254"} |
| cidr              | 11.0.0.0/24                                |
| dns_nameservers   |                                            |
| enable_dhcp       | True                                       |
| gateway_ip        | 11.0.0.1                                   |
| host_routes       |                                            |
| id                | c6751a78-a950-41bf-a3dd-ac377f8015e2       |
| ip_version        | 4                                          |
| ipv6_address_mode |                                            |
| ipv6_ra_mode      |                                            |
| name              |                                            |
| network_id        | a62ddb50-c195-4601-b8de-1f9a9f60c5b9       |
| tenant_id         | 1f14a09f0d034745b1b455264b7593c9           |
+-------------------+--------------------------------------------+
=====new namespace for router seen=====
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns
qrouter-e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c
qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d


[stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-show 2b9d2753-b8df-4134-8908-3bd019b5e6dd
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 |
| id                 | 2b9d2753-b8df-4134-8908-3bd019b5e6dd |
| name               |                                      |
| status             | ACTIVE                               |
| tenant_id          | 1f14a09f0d034745b1b455264b7593c9     |
+--------------------+--------------------------------------+
=====Check for rules=====
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-iv42b9d2753  all  --  *      qr-+    0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-ov42b9d2753  all  --  qr-+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  *      qr-+    0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  qr-+   *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-fwaas-defau (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-iv42b9d2753 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3879

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-ov42b9d2753 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
[stack@skandasw-2:/home/stack/devstack] master ±

3. DVR Single Node - Create VM, Check namespaces, Ping br-ex

Created a VM from horizon and verified that pings to br-ex succeed.
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns
snat-e4d280aa-73c7-4615-abea-bf847fb215b6
qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6
[stack@skandasw-2:/home/stack/devstack] master ± 


[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec snat-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         


[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
[stack@skandasw-2:/home/stack/devstack] master ±

4. DVR Single Node - Associate Floating IP, check namespaces, ping br-ex

Add Floating IP to VM
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns
fip-22fa2b34-351e-490c-a8d4-929af8bfed78
qdhcp-2113d721-bf77-441c-b486-6f63357fadf3
snat-e4d280aa-73c7-4615-abea-bf847fb215b6
qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6

5. DVR Single Node - create FW, check for rules in namespaces, ping br-ex for data path 

[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
Chain INPUT (policy ACCEPT 3 packets, 714 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   714 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 37 packets, 3108 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  108  9072 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  108  9072 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1 packets, 84 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    84 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  109  9156 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   37  3108 neutron-l3-agent-iv4a0f5d9dd  all  --  *      rfp-+   0.0.0.0/0            0.0.0.0/0           
   34  2856 neutron-l3-agent-ov4a0f5d9dd  all  --  rfp-+  *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  *      rfp-+   0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  rfp-+  *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:9697

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-fwaas-defau (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-iv4a0f5d9dd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
   33  2772 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    3   252 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3879

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-ov4a0f5d9dd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
   33  2772 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3879



[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec snat-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
Chain INPUT (policy ACCEPT 2 packets, 630 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   630 neutron-l3-agent-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 6 packets, 504 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   504 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    6   504 neutron-l3-agent-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-filter-top  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-filter-top (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    6   504 neutron-l3-agent-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-iv4a0f5d9dd  all  --  *      sg-+    0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-ov4a0f5d9dd  all  --  sg-+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  *      sg-+    0.0.0.0/0            0.0.0.0/0           
    0     0 neutron-l3-agent-fwaas-defau  all  --  sg-+   *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-fwaas-defau (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain neutron-l3-agent-iv4a0f5d9dd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3879

Chain neutron-l3-agent-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain neutron-l3-agent-ov4a0f5d9dd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3879
[stack@skandasw-2:/home/stack/devstack] master ±

6. DVR Single Node - with FW, create a router, set gw, check namespace

7. DVR Single Node - with FW, add router interface to (6) check namespace

Retrieved from "https://wiki.openstack.org/w/index.php?title=Neutron/FWaaS/FWaaS-DVR&oldid=62356"