diff --git a/api-ref/source/v2/fwaas-v2.inc b/api-ref/source/v2/fwaas-v2.inc index f1fc949c0..c452475f7 100644 --- a/api-ref/source/v2/fwaas-v2.inc +++ b/api-ref/source/v2/fwaas-v2.inc @@ -527,6 +527,7 @@ Response Parameters - firewall_rules: firewall_rules_object - action: firewall_rule_action-body-required - description: firewall_rule_description-body-required + - destination_firewall_group_id: destination_firewall_group_id-body-required - destination_ip_address: firewall_rule_destination_ip_address-body-required - destination_port: firewall_rule_destination_port-body-required - enabled: firewall_rule_enabled-body-required @@ -537,6 +538,7 @@ Response Parameters - project_id: project_id-body-required - protocol: firewall_rule_protocol-body-required - shared: firewall_rule_shared-body-required + - source_firewall_group_id: source_firewall_group_id-body-required - source_ip_address: firewall_rule_source_ip_address-body-required - source_port: firewall_rule_source_port-body-required - tenant_id: project_id-body-required @@ -577,6 +579,7 @@ Response Parameters - firewall_rule: firewall_rule_object - action: firewall_rule_action-body-required - description: firewall_rule_description-body-required + - destination_firewall_group_id: destination_firewall_group_id-body-required - destination_ip_address: firewall_rule_destination_ip_address-body-required - destination_port: firewall_rule_destination_port-body-required - enabled: firewall_rule_enabled-body-required @@ -587,6 +590,7 @@ Response Parameters - project_id: project_id-body-required - protocol: firewall_rule_protocol-body-required - shared: firewall_rule_shared-body-required + - source_firewall_group_id: source_firewall_group_id-body-required - source_ip_address: firewall_rule_source_ip_address-body-required - source_port: firewall_rule_source_port-body-required - tenant_id: project_id-body-required @@ -616,6 +620,7 @@ Request - firewall_rule: firewall_rule_object - action: firewall_rule_action-body-optional - description: firewall_rule_description-body-optional + - destination_firewall_group_id: destination_firewall_group_id-body-optional - destination_ip_address: firewall_rule_destination_ip_address-body-optional - destination_port: firewall_rule_destination_port-body-optional - enabled: firewall_rule_enabled-body-optional @@ -624,6 +629,7 @@ Request - project_id: project_id-body-optional - protocol: firewall_rule_protocol-body-optional - shared: firewall_rule_shared-body-optional + - source_firewall_group_id: source_firewall_group_id-body-optional - source_ip_address: firewall_rule_source_ip_address-body-optional - source_port: firewall_rule_source_port-body-optional - tenant_id: project_id-body-optional @@ -642,6 +648,7 @@ Response Parameters - firewall_rule: firewall_rule_object - action: firewall_rule_action-body-required - description: firewall_rule_description-body-required + - destination_firewall_group_id: destination_firewall_group_id-body-required - destination_ip_address: firewall_rule_destination_ip_address-body-required - destination_port: firewall_rule_destination_port-body-required - enabled: firewall_rule_enabled-body-required @@ -652,6 +659,7 @@ Response Parameters - project_id: project_id-body-required - protocol: firewall_rule_protocol-body-required - shared: firewall_rule_shared-body-required + - source_firewall_group_id: source_firewall_group_id-body-required - source_ip_address: firewall_rule_source_ip_address-body-required - source_port: firewall_rule_source_port-body-required - tenant_id: project_id-body-required @@ -682,6 +690,7 @@ Request - firewall_rule: firewall_rule_object - action: firewall_rule_action-body-optional - description: firewall_rule_description-body-optional + - destination_firewall_group_id: destination_firewall_group_id-body-optional - destination_ip_address: firewall_rule_destination_ip_address-body-optional - destination_port: firewall_rule_destination_port-body-optional - enabled: firewall_rule_enabled-body-optional @@ -691,6 +700,7 @@ Request - project_id: project_id-body-optional - protocol: firewall_rule_protocol-body-optional - shared: firewall_rule_shared-body-optional + - source_firewall_group_id: source_firewall_group_id-body-optional - source_ip_address: firewall_rule_source_ip_address-body-optional - source_port: firewall_rule_source_port-body-optional - tenant_id: project_id-body-optional @@ -709,6 +719,7 @@ Response Parameters - firewall_rule: firewall_rule_object - action: firewall_rule_action-body-required - description: firewall_rule_description-body-required + - destination_firewall_group_id: destination_firewall_group_id-body-required - destination_ip_address: firewall_rule_destination_ip_address-body-required - destination_port: firewall_rule_destination_port-body-required - enabled: firewall_rule_enabled-body-required @@ -719,6 +730,7 @@ Response Parameters - project_id: project_id-body-required - protocol: firewall_rule_protocol-body-required - shared: firewall_rule_shared-body-required + - source_firewall_group_id: source_firewall_group_id-body-required - source_ip_address: firewall_rule_source_ip_address-body-required - source_port: firewall_rule_source_port-body-required - tenant_id: project_id-body-required diff --git a/api-ref/source/v2/parameters.yaml b/api-ref/source/v2/parameters.yaml index 77cdad674..ca6ce7f9c 100644 --- a/api-ref/source/v2/parameters.yaml +++ b/api-ref/source/v2/parameters.yaml @@ -1510,6 +1510,18 @@ description_resource: in: body required: true type: string +destination_firewall_group_id-body-optional: + description: | + The ID of the remote destination firewall group. + in: body + required: false + type: string +destination_firewall_group_id-body-required: + description: | + The ID of the remote destination firewall group. + in: body + required: true + type: string destination_ip_address: description: | The destination IPv4 or IPv6 address or CIDR. No @@ -5504,6 +5516,18 @@ sni_container_refs-response: in: body required: true type: array +source_firewall_group_id-body-optional: + description: | + The ID of the remote source firewall group. + in: body + required: no + type: string +source_firewall_group_id-body-required: + description: | + The ID of the remote source firewall group. + in: body + required: true + type: string source_ip_address: description: | The source IPv4 or IPv6 address or CIDR. diff --git a/api-ref/source/v2/samples/firewall-v2/firewall-rule-create-response.json b/api-ref/source/v2/samples/firewall-v2/firewall-rule-create-response.json index 83f4305bf..949684e67 100644 --- a/api-ref/source/v2/samples/firewall-v2/firewall-rule-create-response.json +++ b/api-ref/source/v2/samples/firewall-v2/firewall-rule-create-response.json @@ -2,6 +2,7 @@ "firewall_rule": { "action": "deny", "description": "", + "destination_firewall_group_id": null, "destination_ip_address": null, "destination_port": null, "enabled": true, @@ -11,6 +12,7 @@ "project_id": "95573613ec554b4b8df9f2679c64557b", "protocol": null, "shared": false, + "source_firewall_group_id": null, "source_ip_address": null, "source_port": null, "tenant_id": "95573613ec554b4b8df9f2679c64557b" diff --git a/api-ref/source/v2/samples/firewall-v2/firewall-rule-show-response.json b/api-ref/source/v2/samples/firewall-v2/firewall-rule-show-response.json index c5fe0533d..3b8c97824 100644 --- a/api-ref/source/v2/samples/firewall-v2/firewall-rule-show-response.json +++ b/api-ref/source/v2/samples/firewall-v2/firewall-rule-show-response.json @@ -2,6 +2,7 @@ "firewall_rule": { "action": "allow", "description": "", + "destination_firewall_group_id": null, "destination_ip_address": null, "destination_port": "80", "enabled": true, @@ -13,6 +14,7 @@ "project_id": "45977fa2dbd7482098dd68d0d8970117", "protocol": "tcp", "shared": false, + "source_firewall_group_id": null, "source_ip_address": null, "source_port": null, "tenant_id": "45977fa2dbd7482098dd68d0d8970117" diff --git a/api-ref/source/v2/samples/firewall-v2/firewall-rule-update-response.json b/api-ref/source/v2/samples/firewall-v2/firewall-rule-update-response.json index 29abe36a1..6bf84711e 100644 --- a/api-ref/source/v2/samples/firewall-v2/firewall-rule-update-response.json +++ b/api-ref/source/v2/samples/firewall-v2/firewall-rule-update-response.json @@ -2,6 +2,7 @@ "firewall_rule": { "action": "allow", "description": "", + "destination_firewall_group_id": null, "destination_ip_address": null, "destination_port": "80", "enabled": true, @@ -13,6 +14,7 @@ "project_id": "45977fa2dbd7482098dd68d0d8970117", "protocol": "tcp", "shared": true, + "source_firewall_group_id": null, "source_ip_address": null, "source_port": null, "tenant_id": "45977fa2dbd7482098dd68d0d8970117" diff --git a/api-ref/source/v2/samples/firewall-v2/firewall-rules-list-response.json b/api-ref/source/v2/samples/firewall-v2/firewall-rules-list-response.json index 309bbc4a8..a979ffdc8 100644 --- a/api-ref/source/v2/samples/firewall-v2/firewall-rules-list-response.json +++ b/api-ref/source/v2/samples/firewall-v2/firewall-rules-list-response.json @@ -3,6 +3,7 @@ { "action": "allow", "description": "", + "destination_firewall_group_id": null, "destination_ip_address": null, "destination_port": "80", "enabled": true, @@ -14,6 +15,7 @@ "project_id": "45977fa2dbd7482098dd68d0d8970117", "protocol": "tcp", "shared": false, + "source_firewall_group_id": null, "source_ip_address": null, "source_port": null, "tenant_id": "45977fa2dbd7482098dd68d0d8970117" diff --git a/neutron_lib/api/definitions/firewall_v2.py b/neutron_lib/api/definitions/firewall_v2.py index 5f5ac8f3f..a34261ae2 100644 --- a/neutron_lib/api/definitions/firewall_v2.py +++ b/neutron_lib/api/definitions/firewall_v2.py @@ -100,6 +100,14 @@ RESOURCE_ATTRIBUTE_MAP = { 'enabled': {'allow_post': True, 'allow_put': True, 'convert_to': converters.convert_to_boolean, 'default': True, 'is_visible': True}, + 'source_firewall_group_id': {'allow_post': True, 'allow_put': True, + 'validate': {'type:uuid_or_none': None}, + 'is_visible': True, 'default': None}, + 'destination_firewall_group_id': {'allow_post': True, + 'allow_put': True, + 'validate': + {'type:uuid_or_none': None}, + 'is_visible': True, 'default': None}, }, api_const.FIREWALL_GROUPS: { 'id': {'allow_post': False, 'allow_put': False, diff --git a/neutron_lib/tests/unit/api/definitions/test_firewall_v2.py b/neutron_lib/tests/unit/api/definitions/test_firewall_v2.py index 3191fcac5..5be45b542 100644 --- a/neutron_lib/tests/unit/api/definitions/test_firewall_v2.py +++ b/neutron_lib/tests/unit/api/definitions/test_firewall_v2.py @@ -24,4 +24,6 @@ class FirewallDefinitionTestCase(base.DefinitionBaseTestCase): 'firewall_policy_id', 'firewall_rules', 'ingress_firewall_policy_id', 'ip_version', 'ports', 'position', 'protocol', 'shared', - 'source_ip_address', 'source_port') + 'source_ip_address', 'source_port', + 'source_firewall_group_id', + 'destination_firewall_group_id') diff --git a/releasenotes/notes/add_fwg_group-9252d07f1011613d.yaml b/releasenotes/notes/add_fwg_group-9252d07f1011613d.yaml new file mode 100644 index 000000000..414925e53 --- /dev/null +++ b/releasenotes/notes/add_fwg_group-9252d07f1011613d.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Updated fwaas API extension definition to include previously missing + ability to specify remote firewall groups for ingress and egress traffic. + When a firewall group rule specifies a remote group, for example an + ingress rule in fwgA specifies a remote group of fwgB, that means only + packets from fwgB could match this ingress rule.