Firewall rules – behind the scenes
To demonstrate how firewall policies are applied to a Neutron router, check out the following firewall rule that allows HTTP traffic from any remote host to any instance on TCP port 80:
Using the Neutron firewall-policy-create command, I have created a policy that contains the preceding rule:
Using the Neutron firewall-create command, I have created a firewall using the policy MyFirewallPolicy:
The firewall status will remain in PENDING_CREATE until the rules have been applied to the Neutron routers within the tenant, at which time the status will turn to ACTIVE:
Stepping through the chains within the firewall
As a result of creating the firewall, the rules within the firewall policy have been implemented on all routers within the tenant. This is not a desired behavior; rather, it is a limitation of FWaaS.
Running iptables-save within a router namespace reveals the iptables rules in place. For readability, only the filter table is shown in the following screenshot...
