8de0c36cb9
This patch implements a driver based on OVN, it creates port_group for every l3 firewall_group and adds relating ports to port_group, it also transforms firewall_rules to stateless acls. Tests will been put in next patch. NOTE: it depends on ML2/OVN. Partially-Implements: blueprint support-l3-firewall-for-ovn-driver Related-Bug: #1971958 Change-Id: If153645b3da198ef1746e98af80ac6f0a0b41bf9
16 lines
615 B
YAML
16 lines
615 B
YAML
---
|
|
features:
|
|
- L3 stateless firewall support for ML2/OVN driver is implemented.
|
|
issues:
|
|
- |
|
|
If the user configures stateful security group rules for VMs ports and
|
|
stateless L3 firewall rules for gateway ports like this:
|
|
|
|
- SG ingress rules: --remote_ip_prefix 0.0.0.0/0
|
|
- FW ingress rules: --destination_ip_address 0.0.0.0/0 --action allow
|
|
|
|
It only opens ingress traffic for another network to access VM, but the
|
|
reply traffic (egress direction) also passes because it matches the
|
|
committed conntrack entry.
|
|
So it only works well with stateless security groups for VMs.
|