To see how firewall policies are applied to a Neutron router, take note of the following firewall rule, which allows HTTP traffic from any source to any destination on TCP port 80
:
The firewall rule was applied to the policy named MyFirewallPolicy
as shown in the following screenshot:
As the final step, the policy is associated with a firewall, MyFirewall
, as shown in the following screenshot:
Once a firewall is created, the rules within the firewall policy are implemented on the associated router. Running iptables -L -t
filter
or iptables-save
within a router namespace reveals the iptables rules that are implemented by the L3 agent. For readability, only the filter
table is shown in the following screenshot:
As with security groups, the FORWARD
chain is used as the traffic is forwarded through the namespace rather than directed at it:
-A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD
A neutron-filter-top
chain does not exist, so the traffic moves to the neutron-l3-agent-FORWARD
chain, as shown in the following screenshot:
The first rule matches all traffic exiting any qr-*
interface attached to the router and sends it to the neutron-l3-agent-iv4a4040d8b
chain:
The packets that are invalid are dropped, while the established connections are accepted without further processing. New connections destined to any destination address on port 80
are allowed.
The next rule in the neutron-l3-agent-FORWARD
chain matches all traffic entering any qr-*
interface attached to the router and sends it to the neutron-l3-agent
-ov4a4040d8b
chain:
As with the previous chain, the packets that are invalid are dropped, while the established connections are accepted without further processing. New connections destined to any outside network on port 80
are allowed.
The traffic that does not match rules in either of the mentioned chains is dropped by the neutron-l3-agent-fwaas-defau
chain via the following command:
-A neutron-l3-agent-fwaas-defau -j DROP
Unlike security group rules, there is no way to differentiate between the directions of the traffic when we create firewall rules with the FWaaS API. By default, firewall rules are applied to both incoming and outgoing traffic in an identical manner. Work is underway in the FWaaS project to solve this issue and others in future OpenStack releases.