How to use FWAAS

asked 2014-08-01 07:20:41 -0500

Beny gravatar image

updated 2014-08-04 02:30:36 -0500

I have two instances and i have to disable the ping for one of the instance. So i created a firewall rule as below

root@icehouse:~# neutron firewall-rule-list
+--------------------------------------+------+--------------------------------------+--------------------------------+---------+
| id                                   | name | firewall_policy_id                   | summary                        | enabled |
+--------------------------------------+------+--------------------------------------+--------------------------------+---------+
| b695d4fa-0522-4a17-b1e6-0bb6d83b5043 | test | fb1180c4-e051-4ddd-9a92-b2e829f4c983 | ICMP,                          | True    |
|                                      |      |                                      |  source: 0.0.0.0/24(none),     |         |
|                                      |      |                                      |  dest: 192.168.1.248/32(none), |         |
|                                      |      |                                      |  deny                          |         |
+--------------------------------------+------+--------------------------------------+--------------------------------+---------+

I hope the above rule denies the ping only for 192.168.1.248, but the problem is it denies ping for the other instance also. However i have checked the iptables of the tenant router, and the result is below.

root@icehouse:/usr/lib/python2.7/dist-packages/neutron/services/firewall# ip netns exec qrouter-6a3ff74f-9bca-4ead-be64-9f67c1bfba72 iptables -L

Chain neutron-l3-agent-iv46576bcae (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
**DROP       icmp --  default/24           192.168.1.248**       

Chain neutron-l3-agent-local (1 references)
target     prot opt source               destination         

Chain neutron-l3-agent-ov46576bcae (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
**DROP       icmp --  default/24           192.168.1.248**

Note: the IP 192.168.1.248 is a floating IP address only.

Please help and let me know what i did wrong here?

edit retag flag offensive close merge delete