You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Documentation/services/pcn-firewall/firewall.rst
+8-9Lines changed: 8 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,9 @@
1
1
Firewall
2
2
========
3
3
4
-
This service is a transparent firewall, it can be connected between two interfaces, and it may drop or forward each packet that matches one of the defined rules, based on the source and destination IPv4 addresses, level 4 protocol and ports, and TCP flags. Policy rules can include one or more of the above fields; if a given field is missing, its content is influent for the matching. *Packets that are not ip are forwarded without any check*.
4
+
This service implements a transparent firewall. It can be attached to a port or a netdev, and it may drop or forward each packet that matches one of the defined rules, based on the source and destination IPv4 addresses, level 4 protocol and ports, and TCP flags.
5
+
Policy rules can include one or more of the above fields; if a given field is missing, its content does not influence the matching.
6
+
*Non-IP packets are always forwarded, without any check*.
5
7
6
8
Features
7
9
--------
@@ -18,20 +20,17 @@ Supported features:
18
20
- ``Forward`` packet from the interface from which it was received to the other
19
21
- ``Drop`` packet
20
22
21
-
- Not IP packets are forwarded by default.
23
+
- Non-IP packets are always forwarded.
22
24
- Up to 5k rules for each chain (INGRESS/EGRESS).
23
25
24
26
How to use
25
27
----------
26
28
27
-
Ingress ad egress chains and ports
28
-
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
29
+
Ingress ad egress chains
30
+
^^^^^^^^^^^^^^^^^^^^^^^^
31
+
32
+
The service supports independent ingress and egress policy chains, with two different policy sets.
29
33
30
-
The service is based on the ingress and egress chains and ports idea.
31
-
The ``ingress port`` is by default the first port created, the ``egress port`` is by default the second port created. They can be changed respectively by issuing the commands ``polycubectl firewall fwname set ingress-port=portname`` and ``polycubectl firewall fwname set egress-port=portname``.
32
-
The ``ingress chain`` processes all the traffic coming from the ingress port, and either drops it or forwards it to the egress port.
33
-
The ``egress chain`` processes all the traffic coming from the egress port, and either drops it or forwards it to the ingress port.
34
-
Ingress and egress chains are independent and have two different policy sets.
0 commit comments