Merge "Add note for openflow firewall"
This commit is contained in:
Zuul
Gerrit Code Review
commit
72b7996966
@ -110,6 +110,14 @@ conntrack first with an ``action=ct()`` rule. An accepted flow means that
|
|||||||
ingress packets for the connection are directly sent to the port, and egress
|
ingress packets for the connection are directly sent to the port, and egress
|
||||||
packets are left to be normally switched by the integration bridge.
|
packets are left to be normally switched by the integration bridge.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
There is a new config option ``explicitly_egress_direct``, if it is set
|
||||||
|
to True, it will direct egress unicast traffic to local port directly
|
||||||
|
or to patch bridge port if destination is in remote host. So there is
|
||||||
|
no NORMAL for egress in such scenario. This option is used to overcome
|
||||||
|
the egress packet flooding when openflow firewall is enabled.
|
||||||
|
|
||||||
Connections that are not matched by the above rules are sent to either the
|
Connections that are not matched by the above rules are sent to either the
|
||||||
ingress or egress filtering table, depending on its direction. The reason the
|
ingress or egress filtering table, depending on its direction. The reason the
|
||||||
rules are based on security group rules in separate tables is to make it easy
|
rules are based on security group rules in separate tables is to make it easy
|
||||||
@ -197,6 +205,9 @@ the second security group. Ports have following attributes:
|
|||||||
- can receive IP packets from security group 3
|
- can receive IP packets from security group 3
|
||||||
- allowed address pair: 10.1.0.0/24, fa:16:3e:8c:84:14
|
- allowed address pair: 10.1.0.0/24, fa:16:3e:8c:84:14
|
||||||
|
|
||||||
|
Port 3
|
||||||
|
- patch bridge port (e.g. patch-tun) in OVS bridge
|
||||||
|
|
||||||
|table_0| contains a low priority rule to continue packets processing in
|
|table_0| contains a low priority rule to continue packets processing in
|
||||||
|table_60| aka TRANSIENT table. |table_0| is left for use to other
|
|table_60| aka TRANSIENT table. |table_0| is left for use to other
|
||||||
features that take precedence over firewall, e.g. DVR. The only requirement is
|
features that take precedence over firewall, e.g. DVR. The only requirement is
|
||||||
@ -495,6 +506,23 @@ same as in |table_72|.
|
|||||||
migrated to a port on a different node, then the new port won't contain
|
migrated to a port on a different node, then the new port won't contain
|
||||||
conntrack information about previous traffic that happened with VIP.
|
conntrack information about previous traffic that happened with VIP.
|
||||||
|
|
||||||
|
By default the |table_94| will have one single flow like this:
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
table=94, priority=1 actions=NORMAL
|
||||||
|
|
||||||
|
If ``explicitly_egress_direct`` is set to True, flows of |table_94|
|
||||||
|
will be:
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
table=94, priority=12,reg6=0x284,dl_dst=fa:16:3e:a4:22:10 actions=output:1
|
||||||
|
table=94, priority=12,reg6=0x284,dl_dst=fa:16:3e:24:57:c7 actions=output:2
|
||||||
|
table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:a4:22:10,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
|
||||||
|
table=94, priority=10,reg6=0x284,dl_src=fa:16:3e:24:57:c7,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=push_vlan:0x8100,set_field:0x1->vlan_vid,output:3
|
||||||
|
table=94, priority=1 actions=NORMAL
|
||||||
|
|
||||||
OVS firewall integration points
|
OVS firewall integration points
|
||||||
-------------------------------
|
-------------------------------
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user