Improve firewall recommendations for Neutron documentation
The documention does not mention that either ufw or firewalld should be
disabled to operate a devstack+Neutron environment. This change adds a
description of fault symptoms as well as a simple workaround.
Change-Id: Ie0ec614dfa56febbf6588836d2e1fc057aa8830f
diff --git a/doc/source/guides/neutron.rst b/doc/source/guides/neutron.rst
index dc2fc71..90d4ca3 100644
--- a/doc/source/guides/neutron.rst
+++ b/doc/source/guides/neutron.rst
@@ -59,6 +59,40 @@
+Disabling Next Generation Firewall Tools
+========================================
+
+Devstack does not properly operate with modern firewall tools. Specifically
+it will appear as if the guest VM can access the external network via ICMP,
+but UDP and TCP packets will not be delivered to the guest VM. The root cause
+of the issue is that both ufw (Uncomplicated Firewall) and firewalld (Fedora's
+firewall manager) apply firewall rules to all interfaces in the system, rather
+then per-device. One solution to this problem is to revert to iptables
+functionality.
+
+To get a functional firewall configuration for Fedora do the following:
+
+::
+
+ sudo service iptables save
+ sudo systemctl disable firewalld
+ sudo systemctl enable iptables
+ sudo systemctl stop firewalld
+ sudo systemctl start iptables
+
+
+To get a functional firewall configuration for distributions containing ufw,
+disable ufw. Note ufw is generally not enabled by default in Ubuntu. To
+disable ufw if it was enabled, do the following:
+
+::
+
+ sudo service iptables save
+ sudo ufw disable
+
+
+
+
Neutron Networking with Open vSwitch
====================================