Neutron/FWaaS/FWaaS-DVR
目录
FWaaS DVR
借助 DVR,我们可以实现相对于路由器的非对称流。FWaaS 作为 iptables 实现依赖于查看流的两侧以进行有状态检查。DVR 引入了一些额外的网络命名空间来处理流量流的不同方面。目前尝试的目标是确保 FWaaS 可以正确应用于南北 (N - S) 流量流。这将为我们提供边界防火墙支持。
这些更改确保 FWaaS 规则应用于网络节点和计算节点上的正确网络命名空间。目前不处理 FWaaS 对东西向流量的支持。
FWaaS DVR 迁移
集中式到分布式,插件内部将有一个检查,如果配置了防火墙,则抛出异常,这需要 helper 来知道是否配置了防火墙
集中式和分布式路由器的混合以及迁移到不同的类型,虽然这可能有效,但行为尚不清楚,我们最初的目标是解决从集中式到分布式的有限转换
分布式到集中式,插件内部需要一个检查,如果配置了防火墙,则抛出异常,这需要 helper 来知道是否配置了防火墙,尽管这种情况不太可能被解决。
FWaaS DVR 设置
单节点设置需要对 localrc 进行以下更改
Q_PLUGIN=ml2
Q_ML2_TENANT_NETWORK_TYPE=vxlan
Q_DVR_MODE=dvr_snat
示例创建的命名空间
qdhcp-de6d0488-b95f-48b6-93e9-5ab7c0c96e1d
qdhcp-13465298-a563-4c1c-88f6-4c1abc26dbac
snat-0391ee86-08ea-4186-ac00-6f550554e4e7
qrouter-0391ee86-08ea-4186-ac00-6f550554e4e7
测试
手动测试用例
- 传统防火墙:创建 FW,检查 qrouter 命名空间,Datapath 测试。
- 传统防火墙:添加一个带有 FW 的路由器 - 确保新的 qrouter 命名空间已填充。
- DVR 单节点 - 创建 VM,检查命名空间,Ping br-ex
- DVR 单节点 - 关联浮动 IP,检查命名空间,ping br-ex
- DVR 单节点 - 创建 FW,检查命名空间中的规则,ping br-ex 进行数据路径测试
- DVR 单节点 - 带有 FW,创建一个路由器,设置 gw,检查命名空间
- DVR 单节点 - 带有 FW,将路由器接口添加到 (6) 检查命名空间
- DVR 多节点 - 在计算节点上 - 创建 VM,检查命名空间,Ping br-ex
- DVR 多节点 - 在计算节点上,在 (8) 之后,添加 FW,检查对 br-ex 的 ping
- DVR 多节点 - 在计算节点上,关联浮动 IP,检查命名空间
- DVR 多节点 - 在计算节点上,创建另一个带有 VM 的子网 - ping 另一个 VM(E - W 场景)
手动测试日志
1. 传统防火墙:创建 FW,检查 qrouter 命名空间,Datapath 测试。
检查基线命名空间无规则
[stack@skandasw-2:/home/stack/devstack] master 1 ± sudo ip netns exec qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
[stack@skandasw-2:/home/stack/devstack] master ±
创建防火墙
[stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-create test-policy Created a new firewall: +--------------------+--------------------------------------+ | Field | Value | +--------------------+--------------------------------------+ | admin_state_up | True | | description | | | firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 | | id | 2b9d2753-b8df-4134-8908-3bd019b5e6dd | | name | | | status | PENDING_CREATE | | tenant_id | 1f14a09f0d034745b1b455264b7593c9 | +--------------------+--------------------------------------+ [stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-show 2b9d2753-b8df-4134-8908-3bd019b5e6dd +--------------------+--------------------------------------+ | Field | Value | +--------------------+--------------------------------------+ | admin_state_up | True | | description | | | firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 | | id | 2b9d2753-b8df-4134-8908-3bd019b5e6dd | | name | | | status | ACTIVE | | tenant_id | 1f14a09f0d034745b1b455264b7593c9 | +--------------------+--------------------------------------+ [stack@skandasw-2:/home/stack/devstack] master ±
重新检查命名空间,已看到规则
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-iv42b9d2753 all -- * qr-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-ov42b9d2753 all -- qr-+ * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- * qr-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- qr-+ * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv42b9d2753 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3879
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-ov42b9d2753 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3879
[stack@skandasw-2:/home/stack/devstack] master ±
2. 传统防火墙:添加一个带有 FW 的路由器 - 确保新的 qrouter 命名空间已填充。
[stack@skandasw-2:/home/stack/devstack] master ± neutron router-create router2
Created a new router:
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| external_gateway_info | |
| id | e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c |
| name | router2 |
| routes | |
| status | ACTIVE |
| tenant_id | 1f14a09f0d034745b1b455264b7593c9 |
+-----------------------+--------------------------------------+
[stack@skandasw-2:/home/stack/devstack] master ± neutron net-list
+--------------------------------------+---------+--------------------------------------------------+
| id | name | subnets |
+--------------------------------------+---------+--------------------------------------------------+
| 3ade806e-bee9-4b9d-bb35-ec8b3ed50e0f | private | 917a20e9-60e6-4faf-9bcd-8f6ba9d40ba3 10.0.0.0/24 |
| b9b27d1e-924b-4386-bbb5-841bb043eae4 | public | c57aa790-0383-474d-b4ef-8d57217bcc6c |
+--------------------------------------+---------+--------------------------------------------------+
[stack@skandasw-2:/home/stack/devstack] master 2 ± neutron net-create private2
Created a new network:
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | a62ddb50-c195-4601-b8de-1f9a9f60c5b9 |
| name | private2 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 1f14a09f0d034745b1b455264b7593c9 |
+-----------------+--------------------------------------+
[stack@skandasw-2:/home/stack/devstack] master ± neutron subnet-create private2 11.0.0.0/24
Created a new subnet:
+-------------------+--------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------+
| allocation_pools | {"start": "11.0.0.2", "end": "11.0.0.254"} |
| cidr | 11.0.0.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 11.0.0.1 |
| host_routes | |
| id | c6751a78-a950-41bf-a3dd-ac377f8015e2 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | |
| network_id | a62ddb50-c195-4601-b8de-1f9a9f60c5b9 |
| tenant_id | 1f14a09f0d034745b1b455264b7593c9 |
+-------------------+--------------------------------------------+
=====new namespace for router seen=====
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns
qrouter-e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c
qrouter-c79d0c27-f998-448c-b240-60ec1b08b89d
[stack@skandasw-2:/home/stack/devstack] master ± neutron firewall-show 2b9d2753-b8df-4134-8908-3bd019b5e6dd
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 323afcfd-f29d-46e1-a896-4212866948b9 |
| id | 2b9d2753-b8df-4134-8908-3bd019b5e6dd |
| name | |
| status | ACTIVE |
| tenant_id | 1f14a09f0d034745b1b455264b7593c9 |
+--------------------+--------------------------------------+
=====Check for rules=====
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e2fbf4f2-c97d-45a6-afaf-8537d49c2e0c iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-iv42b9d2753 all -- * qr-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-ov42b9d2753 all -- qr-+ * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- * qr-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- qr-+ * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv42b9d2753 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3879
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-ov42b9d2753 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3879
[stack@skandasw-2:/home/stack/devstack] master ±
3. DVR 单节点 - 创建 VM,检查命名空间,Ping br-ex
从 horizon 创建了一个 VM 并验证对 br-ex 的 ping 成功。
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns
snat-e4d280aa-73c7-4615-abea-bf847fb215b6
qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6
[stack@skandasw-2:/home/stack/devstack] master ±
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec snat-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
[stack@skandasw-2:/home/stack/devstack] master ±
4. DVR 单节点 - 关联浮动 IP,检查命名空间,ping br-ex
添加浮动 IP 到 VM
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns fip-22fa2b34-351e-490c-a8d4-929af8bfed78 qdhcp-2113d721-bf77-441c-b486-6f63357fadf3 snat-e4d280aa-73c7-4615-abea-bf847fb215b6 qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6
5. DVR 单节点 - 创建 FW,检查命名空间中的规则,ping br-ex 进行数据路径测试
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec qrouter-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
Chain INPUT (policy ACCEPT 3 packets, 714 bytes)
pkts bytes target prot opt in out source destination
3 714 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 37 packets, 3108 bytes)
pkts bytes target prot opt in out source destination
108 9072 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
108 9072 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination
1 84 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
1 84 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
109 9156 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
37 3108 neutron-l3-agent-iv4a0f5d9dd all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
34 2856 neutron-l3-agent-ov4a0f5d9dd all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- * rfp-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- rfp-+ * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:9697
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv4a0f5d9dd (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
33 2772 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 252 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3879
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-ov4a0f5d9dd (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
33 2772 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3879
[stack@skandasw-2:/home/stack/devstack] master ± sudo ip netns exec snat-e4d280aa-73c7-4615-abea-bf847fb215b6 iptables -n -L -v
Chain INPUT (policy ACCEPT 2 packets, 630 bytes)
pkts bytes target prot opt in out source destination
2 630 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 6 packets, 504 bytes)
pkts bytes target prot opt in out source destination
6 504 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
6 504 neutron-l3-agent-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-filter-top (2 references)
pkts bytes target prot opt in out source destination
6 504 neutron-l3-agent-local all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 neutron-l3-agent-iv4a0f5d9dd all -- * sg-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-ov4a0f5d9dd all -- sg-+ * 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- * sg-+ 0.0.0.0/0 0.0.0.0/0
0 0 neutron-l3-agent-fwaas-defau all -- sg-+ * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-INPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-fwaas-defau (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-iv4a0f5d9dd (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3879
Chain neutron-l3-agent-local (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-l3-agent-ov4a0f5d9dd (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3879
[stack@skandasw-2:/home/stack/devstack] master ±
6. DVR 单节点 - 带有 FW,创建一个路由器,设置 gw,检查命名空间
7. DVR 单节点 - 带有 FW,将路由器接口添加到 (6) 检查命名空间
