Add note for openflow firewall
Tell something about the config option ``explicitly_egress_direct`` since there is something not so much clear for users now. Change-Id: I1c046d8140f93d9a8cd9e0bc43d3494e4f6a1ce7
This commit is contained in:
LIU Yulong
liuyulong
parent
5c2193af76
commit
4f249b8579
|
|
@ -110,6 +110,14 @@ conntrack first with an ``action=ct()`` rule. An accepted flow means that
|
|||
ingress packets for the connection are directly sent to the port, and egress
|
||||
packets are left to be normally switched by the integration bridge.
|
||||
|
||||
.. note::
|
||||
|
||||
There is a new config option ``explicitly_egress_direct``, if it is set
|
||||
to True, it will direct egress unicast traffic to local port directly
|
||||
or to patch bridge port if destination is in remote host. So there is
|
||||
no NORMAL for egress in such scenario. This option is used to overcome
|
||||
the egress packet flooding when openflow firewall is enabled.
|
||||
|
||||
Connections that are not matched by the above rules are sent to either the
|
||||
ingress or egress filtering table, depending on its direction. The reason the
|
||||
rules are based on security group rules in separate tables is to make it easy
|
||||
|
|
@ -197,6 +205,9 @@ the second security group. Ports have following attributes:
|
|||
- can receive IP packets from security group 3
|
||||
- allowed address pair: 10.1.0.0/24, fa:16:3e:8c:84:14
|
||||
|
||||
Port 3
|
||||
- patch bridge port (e.g. patch-tun) in OVS bridge
|
||||
|
||||
|table_0| contains a low priority rule to continue packets processing in
|
||||
|table_60| aka TRANSIENT table. |table_0| is left for use to other
|
||||
features that take precedence over firewall, e.g. DVR. The only requirement is
|
||||
|
|
@ -495,6 +506,23 @@ same as in |table_72|.
|
|||
migrated to a port on a different node, then the new port won't contain
|
||||
conntrack information about previous traffic that happened with VIP.
|
||||
|
||||
By default the |table_94| will have one single flow like this:
|
||||
|
||||
::
|
||||
|
||||
table=94, priority=1 actions=NORMAL
|
||||
|
||||
If ``explicitly_egress_direct`` is set to True, flows of |table_94|
|
||||
will be:
|
||||
|
||||
::
|
||||
|
||||
table=94, priority=12,reg6=0x284,dl_dst=fa:16:3e:a4:22:10 actions=output:1
|
||||
table=94, priority=12,reg6=0x284,dl_dst=fa:16:3e:24:57:c7 actions=output:2
|
||||
table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:a4:22:10,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
|
||||
table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:24:57:c7,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
|
||||
table=94, priority=1 actions=NORMAL
|
||||
|
||||
OVS firewall integration points
|
||||
-------------------------------
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue