4d64670274
The current driver is implemeted at [1], which will work in standalone mode. However, the most important function of fwaas v2 is "defense in depth". So this patch will enable fwg and sg to co-exist. That means a packet must be allowed by both of them. [1]https://review.openstack.org/#/c/447251/ Co-Authored-By: Chandan Dutta Chowdhury <chandanc@juniper.net> Change-Id: I3dc11c96637df765afa6abcc6ac9b24f942e53f7
17 lines
778 B
YAML
17 lines
778 B
YAML
---
|
|
prelude: >
|
|
Coexistence between security group and firewall group.
|
|
features:
|
|
- L2 firewall group driver based OVS can work in coexistence mode.
|
|
That means, if a port is associated with both firewall group and
|
|
security group, then a packet must be allowed by both features.
|
|
other:
|
|
- If a port is associated with both firewall group & security group and
|
|
there is a security group logging, which is enabled to collect ``DROP``
|
|
events for this port, then most of invalid packets will be dropped at
|
|
firewall group for performance reason except first dropped packet, which
|
|
is allowed by firewall group but not accepted by security group. So not
|
|
every dropped packet will be logged (like in case of security group
|
|
works in standalone mode).
|
|
|