Merge "Adds Remote Firewall Groups to FWaaS V2 Rules"

api-ref/source/v2/fwaas-v2.inc

@@ -527,6 +527,7 @@ Response Parameters
    - firewall_rules: firewall_rules_object
    - action: firewall_rule_action-body-required
    - description: firewall_rule_description-body-required
+   - destination_firewall_group_id: destination_firewall_group_id-body-required
    - destination_ip_address: firewall_rule_destination_ip_address-body-required
    - destination_port: firewall_rule_destination_port-body-required
    - enabled: firewall_rule_enabled-body-required
@@ -537,6 +538,7 @@ Response Parameters
    - project_id: project_id-body-required
    - protocol: firewall_rule_protocol-body-required
    - shared: firewall_rule_shared-body-required
+   - source_firewall_group_id: source_firewall_group_id-body-required
    - source_ip_address: firewall_rule_source_ip_address-body-required
    - source_port: firewall_rule_source_port-body-required
    - tenant_id: project_id-body-required
@@ -577,6 +579,7 @@ Response Parameters
    - firewall_rule: firewall_rule_object
    - action: firewall_rule_action-body-required
    - description: firewall_rule_description-body-required
+   - destination_firewall_group_id: destination_firewall_group_id-body-required
    - destination_ip_address: firewall_rule_destination_ip_address-body-required
    - destination_port: firewall_rule_destination_port-body-required
    - enabled: firewall_rule_enabled-body-required
@@ -587,6 +590,7 @@ Response Parameters
    - project_id: project_id-body-required
    - protocol: firewall_rule_protocol-body-required
    - shared: firewall_rule_shared-body-required
+   - source_firewall_group_id: source_firewall_group_id-body-required
    - source_ip_address: firewall_rule_source_ip_address-body-required
    - source_port: firewall_rule_source_port-body-required
    - tenant_id: project_id-body-required
@@ -616,6 +620,7 @@ Request
    - firewall_rule: firewall_rule_object
    - action: firewall_rule_action-body-optional
    - description: firewall_rule_description-body-optional
+   - destination_firewall_group_id: destination_firewall_group_id-body-optional
    - destination_ip_address: firewall_rule_destination_ip_address-body-optional
    - destination_port: firewall_rule_destination_port-body-optional
    - enabled: firewall_rule_enabled-body-optional
@@ -624,6 +629,7 @@ Request
    - project_id: project_id-body-optional
    - protocol: firewall_rule_protocol-body-optional
    - shared: firewall_rule_shared-body-optional
+   - source_firewall_group_id: source_firewall_group_id-body-optional
    - source_ip_address: firewall_rule_source_ip_address-body-optional
    - source_port: firewall_rule_source_port-body-optional
    - tenant_id: project_id-body-optional
@@ -642,6 +648,7 @@ Response Parameters
    - firewall_rule: firewall_rule_object
    - action: firewall_rule_action-body-required
    - description: firewall_rule_description-body-required
+   - destination_firewall_group_id: destination_firewall_group_id-body-required
    - destination_ip_address: firewall_rule_destination_ip_address-body-required
    - destination_port: firewall_rule_destination_port-body-required
    - enabled: firewall_rule_enabled-body-required
@@ -652,6 +659,7 @@ Response Parameters
    - project_id: project_id-body-required
    - protocol: firewall_rule_protocol-body-required
    - shared: firewall_rule_shared-body-required
+   - source_firewall_group_id: source_firewall_group_id-body-required
    - source_ip_address: firewall_rule_source_ip_address-body-required
    - source_port: firewall_rule_source_port-body-required
    - tenant_id: project_id-body-required
@@ -682,6 +690,7 @@ Request
    - firewall_rule: firewall_rule_object
    - action: firewall_rule_action-body-optional
    - description: firewall_rule_description-body-optional
+   - destination_firewall_group_id: destination_firewall_group_id-body-optional
    - destination_ip_address: firewall_rule_destination_ip_address-body-optional
    - destination_port: firewall_rule_destination_port-body-optional
    - enabled: firewall_rule_enabled-body-optional
@@ -691,6 +700,7 @@ Request
    - project_id: project_id-body-optional
    - protocol: firewall_rule_protocol-body-optional
    - shared: firewall_rule_shared-body-optional
+   - source_firewall_group_id: source_firewall_group_id-body-optional
    - source_ip_address: firewall_rule_source_ip_address-body-optional
    - source_port: firewall_rule_source_port-body-optional
    - tenant_id: project_id-body-optional
@@ -709,6 +719,7 @@ Response Parameters
    - firewall_rule: firewall_rule_object
    - action: firewall_rule_action-body-required
    - description: firewall_rule_description-body-required
+   - destination_firewall_group_id: destination_firewall_group_id-body-required
    - destination_ip_address: firewall_rule_destination_ip_address-body-required
    - destination_port: firewall_rule_destination_port-body-required
    - enabled: firewall_rule_enabled-body-required
@@ -719,6 +730,7 @@ Response Parameters
    - project_id: project_id-body-required
    - protocol: firewall_rule_protocol-body-required
    - shared: firewall_rule_shared-body-required
+   - source_firewall_group_id: source_firewall_group_id-body-required
    - source_ip_address: firewall_rule_source_ip_address-body-required
    - source_port: firewall_rule_source_port-body-required
    - tenant_id: project_id-body-required

api-ref/source/v2/parameters.yaml

@@ -1510,6 +1510,18 @@ description_resource:
   in: body
   required: true
   type: string
+destination_firewall_group_id-body-optional:
+  description: |
+    The ID of the remote destination firewall group.
+  in: body
+  required: false
+  type: string
+destination_firewall_group_id-body-required:
+  description: |
+    The ID of the remote destination firewall group.
+  in: body
+  required: true
+  type: string
 destination_ip_address:
   description: |
     The destination IPv4 or IPv6 address or CIDR. No
@@ -5504,6 +5516,18 @@ sni_container_refs-response:
   in: body
   required: true
   type: array
+source_firewall_group_id-body-optional:
+  description: |
+    The ID  of the remote source firewall group.
+  in: body
+  required: no
+  type: string
+source_firewall_group_id-body-required:
+  description: |
+    The ID  of the remote source firewall group.
+  in: body
+  required: true
+  type: string
 source_ip_address:
   description: |
     The source IPv4 or IPv6 address or CIDR.

api-ref/source/v2/samples/firewall-v2/firewall-rule-create-response.json

@@ -2,6 +2,7 @@
     "firewall_rule": {
         "action": "deny",
         "description": "",
+        "destination_firewall_group_id": null,
         "destination_ip_address": null,
         "destination_port": null,
         "enabled": true,
@@ -11,6 +12,7 @@
         "project_id": "95573613ec554b4b8df9f2679c64557b",
         "protocol": null,
         "shared": false,
+        "source_firewall_group_id": null,
         "source_ip_address": null,
         "source_port": null,
         "tenant_id": "95573613ec554b4b8df9f2679c64557b"

api-ref/source/v2/samples/firewall-v2/firewall-rule-show-response.json

@@ -2,6 +2,7 @@
     "firewall_rule": {
         "action": "allow",
         "description": "",
+        "destination_firewall_group_id": null,
         "destination_ip_address": null,
         "destination_port": "80",
         "enabled": true,
@@ -13,6 +14,7 @@
         "project_id": "45977fa2dbd7482098dd68d0d8970117",
         "protocol": "tcp",
         "shared": false,
+        "source_firewall_group_id": null,
         "source_ip_address": null,
         "source_port": null,
         "tenant_id": "45977fa2dbd7482098dd68d0d8970117"

api-ref/source/v2/samples/firewall-v2/firewall-rule-update-response.json

@@ -2,6 +2,7 @@
     "firewall_rule": {
         "action": "allow",
         "description": "",
+        "destination_firewall_group_id": null,
         "destination_ip_address": null,
         "destination_port": "80",
         "enabled": true,
@@ -13,6 +14,7 @@
         "project_id": "45977fa2dbd7482098dd68d0d8970117",
         "protocol": "tcp",
         "shared": true,
+        "source_firewall_group_id": null,
         "source_ip_address": null,
         "source_port": null,
         "tenant_id": "45977fa2dbd7482098dd68d0d8970117"

api-ref/source/v2/samples/firewall-v2/firewall-rules-list-response.json

@@ -3,6 +3,7 @@
         {
             "action": "allow",
             "description": "",
+            "destination_firewall_group_id": null,
             "destination_ip_address": null,
             "destination_port": "80",
             "enabled": true,
@@ -14,6 +15,7 @@
             "project_id": "45977fa2dbd7482098dd68d0d8970117",
             "protocol": "tcp",
             "shared": false,
+            "source_firewall_group_id": null,
             "source_ip_address": null,
             "source_port": null,
             "tenant_id": "45977fa2dbd7482098dd68d0d8970117"

neutron_lib/api/definitions/firewall_v2.py

@@ -100,6 +100,14 @@ RESOURCE_ATTRIBUTE_MAP = {
         'enabled': {'allow_post': True, 'allow_put': True,
                     'convert_to': converters.convert_to_boolean,
                     'default': True, 'is_visible': True},
+        'source_firewall_group_id': {'allow_post': True, 'allow_put': True,
+                                     'validate': {'type:uuid_or_none': None},
+                                     'is_visible': True, 'default': None},
+        'destination_firewall_group_id': {'allow_post': True,
+                                          'allow_put': True,
+                                          'validate':
+                                              {'type:uuid_or_none': None},
+                                          'is_visible': True, 'default': None},
     },
     api_const.FIREWALL_GROUPS: {
         'id': {'allow_post': False, 'allow_put': False,

neutron_lib/tests/unit/api/definitions/test_firewall_v2.py

@@ -24,4 +24,6 @@ class FirewallDefinitionTestCase(base.DefinitionBaseTestCase):
                             'firewall_policy_id', 'firewall_rules',
                             'ingress_firewall_policy_id', 'ip_version',
                             'ports', 'position', 'protocol', 'shared',
-                            'source_ip_address', 'source_port')
+                            'source_ip_address', 'source_port',
+                            'source_firewall_group_id',
+                            'destination_firewall_group_id')

releasenotes/notes/add_fwg_group-9252d07f1011613d.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Updated fwaas API extension definition to include  previously missing
+    ability to specify remote firewall groups for ingress and egress traffic.
+    When a firewall group rule specifies a remote group, for example an
+    ingress rule in fwgA specifies a remote group of fwgB, that means only
+    packets from fwgB could match this ingress rule.