Once a firewall is created, the rules within the firewall policy are implemented on the associated router. Running iptables -L -t filter or iptables-save within a router namespace reveals the iptables rules that are implemented by the L3 agent. For readability, only the filter table is shown in the following screenshot:

Figure 11.13

As with security groups, the FORWARD chain is used as the traffic is forwarded through the namespace rather than directed at it:

-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD

A neutron-filter-top chain does not exist, so the traffic moves to the neutron-l3-agent-FORWARD chain, as shown in the following screenshot:

Figure 11.14

The first rule matches all traffic exiting any qr-* interface attached to the router and sends it to the neutron-l3-agent-iv4a4040d8b chain:

Figure 11.15

The packets that are invalid are dropped, while the established connections are accepted without further processing. New connections destined to any destination address on port 80 are allowed.

The next rule in the neutron-l3-agent-FORWARD chain matches all traffic entering any qr-* interface attached to the router and sends it to the neutron-l3-agent-ov4a4040d8b chain:

Figure 11.16

As with the previous chain, the packets that are invalid are dropped, while the established connections are accepted without further processing. New connections destined to any outside network on port 80 are allowed.

The traffic that does not match rules in either of the mentioned chains is dropped by the neutron-l3-agent-fwaas-defau chain via the following command:

-A neutron-l3-agent-fwaas-defau -j DROP

Unlike security group rules, there is no way to differentiate between the directions of the traffic when we create firewall rules with the FWaaS API. By default, firewall rules are applied to both incoming and outgoing traffic in an identical manner. Work is underway in the FWaaS project to solve this issue and others in future OpenStack releases.