Adds Remote Firewall Groups to FWaaS V2 Rules

In the original spec
(https://specs.openstack.org/openstack/neutron-specs/specs/mitaka/fwaas-api-2.0.html)
FWaaS V2 introduced remote firewall groups. This
implements them in the API.

Change-Id: I4086278fe90ec68631ae1dbba4b17f8cf06005ed
This commit is contained in:
German Eichberger 2017-11-17 13:28:13 -08:00
parent f06fd07d74
commit c30700866e
9 changed files with 63 additions and 1 deletions

View File

@ -527,6 +527,7 @@ Response Parameters
- firewall_rules: firewall_rules_object
- action: firewall_rule_action-body-required
- description: firewall_rule_description-body-required
- destination_firewall_group_id: destination_firewall_group_id-body-required
- destination_ip_address: firewall_rule_destination_ip_address-body-required
- destination_port: firewall_rule_destination_port-body-required
- enabled: firewall_rule_enabled-body-required
@ -537,6 +538,7 @@ Response Parameters
- project_id: project_id-body-required
- protocol: firewall_rule_protocol-body-required
- shared: firewall_rule_shared-body-required
- source_firewall_group_id: source_firewall_group_id-body-required
- source_ip_address: firewall_rule_source_ip_address-body-required
- source_port: firewall_rule_source_port-body-required
- tenant_id: project_id-body-required
@ -577,6 +579,7 @@ Response Parameters
- firewall_rule: firewall_rule_object
- action: firewall_rule_action-body-required
- description: firewall_rule_description-body-required
- destination_firewall_group_id: destination_firewall_group_id-body-required
- destination_ip_address: firewall_rule_destination_ip_address-body-required
- destination_port: firewall_rule_destination_port-body-required
- enabled: firewall_rule_enabled-body-required
@ -587,6 +590,7 @@ Response Parameters
- project_id: project_id-body-required
- protocol: firewall_rule_protocol-body-required
- shared: firewall_rule_shared-body-required
- source_firewall_group_id: source_firewall_group_id-body-required
- source_ip_address: firewall_rule_source_ip_address-body-required
- source_port: firewall_rule_source_port-body-required
- tenant_id: project_id-body-required
@ -616,6 +620,7 @@ Request
- firewall_rule: firewall_rule_object
- action: firewall_rule_action-body-optional
- description: firewall_rule_description-body-optional
- destination_firewall_group_id: destination_firewall_group_id-body-optional
- destination_ip_address: firewall_rule_destination_ip_address-body-optional
- destination_port: firewall_rule_destination_port-body-optional
- enabled: firewall_rule_enabled-body-optional
@ -624,6 +629,7 @@ Request
- project_id: project_id-body-optional
- protocol: firewall_rule_protocol-body-optional
- shared: firewall_rule_shared-body-optional
- source_firewall_group_id: source_firewall_group_id-body-optional
- source_ip_address: firewall_rule_source_ip_address-body-optional
- source_port: firewall_rule_source_port-body-optional
- tenant_id: project_id-body-optional
@ -642,6 +648,7 @@ Response Parameters
- firewall_rule: firewall_rule_object
- action: firewall_rule_action-body-required
- description: firewall_rule_description-body-required
- destination_firewall_group_id: destination_firewall_group_id-body-required
- destination_ip_address: firewall_rule_destination_ip_address-body-required
- destination_port: firewall_rule_destination_port-body-required
- enabled: firewall_rule_enabled-body-required
@ -652,6 +659,7 @@ Response Parameters
- project_id: project_id-body-required
- protocol: firewall_rule_protocol-body-required
- shared: firewall_rule_shared-body-required
- source_firewall_group_id: source_firewall_group_id-body-required
- source_ip_address: firewall_rule_source_ip_address-body-required
- source_port: firewall_rule_source_port-body-required
- tenant_id: project_id-body-required
@ -682,6 +690,7 @@ Request
- firewall_rule: firewall_rule_object
- action: firewall_rule_action-body-optional
- description: firewall_rule_description-body-optional
- destination_firewall_group_id: destination_firewall_group_id-body-optional
- destination_ip_address: firewall_rule_destination_ip_address-body-optional
- destination_port: firewall_rule_destination_port-body-optional
- enabled: firewall_rule_enabled-body-optional
@ -691,6 +700,7 @@ Request
- project_id: project_id-body-optional
- protocol: firewall_rule_protocol-body-optional
- shared: firewall_rule_shared-body-optional
- source_firewall_group_id: source_firewall_group_id-body-optional
- source_ip_address: firewall_rule_source_ip_address-body-optional
- source_port: firewall_rule_source_port-body-optional
- tenant_id: project_id-body-optional
@ -709,6 +719,7 @@ Response Parameters
- firewall_rule: firewall_rule_object
- action: firewall_rule_action-body-required
- description: firewall_rule_description-body-required
- destination_firewall_group_id: destination_firewall_group_id-body-required
- destination_ip_address: firewall_rule_destination_ip_address-body-required
- destination_port: firewall_rule_destination_port-body-required
- enabled: firewall_rule_enabled-body-required
@ -719,6 +730,7 @@ Response Parameters
- project_id: project_id-body-required
- protocol: firewall_rule_protocol-body-required
- shared: firewall_rule_shared-body-required
- source_firewall_group_id: source_firewall_group_id-body-required
- source_ip_address: firewall_rule_source_ip_address-body-required
- source_port: firewall_rule_source_port-body-required
- tenant_id: project_id-body-required

View File

@ -1510,6 +1510,18 @@ description_resource:
in: body
required: true
type: string
destination_firewall_group_id-body-optional:
description: |
The ID of the remote destination firewall group.
in: body
required: false
type: string
destination_firewall_group_id-body-required:
description: |
The ID of the remote destination firewall group.
in: body
required: true
type: string
destination_ip_address:
description: |
The destination IPv4 or IPv6 address or CIDR. No
@ -5502,6 +5514,18 @@ sni_container_refs-response:
in: body
required: true
type: array
source_firewall_group_id-body-optional:
description: |
The ID of the remote source firewall group.
in: body
required: no
type: string
source_firewall_group_id-body-required:
description: |
The ID of the remote source firewall group.
in: body
required: true
type: string
source_ip_address:
description: |
The source IPv4 or IPv6 address or CIDR.

View File

@ -2,6 +2,7 @@
"firewall_rule": {
"action": "deny",
"description": "",
"destination_firewall_group_id": null,
"destination_ip_address": null,
"destination_port": null,
"enabled": true,
@ -11,6 +12,7 @@
"project_id": "95573613ec554b4b8df9f2679c64557b",
"protocol": null,
"shared": false,
"source_firewall_group_id": null,
"source_ip_address": null,
"source_port": null,
"tenant_id": "95573613ec554b4b8df9f2679c64557b"

View File

@ -2,6 +2,7 @@
"firewall_rule": {
"action": "allow",
"description": "",
"destination_firewall_group_id": null,
"destination_ip_address": null,
"destination_port": "80",
"enabled": true,
@ -13,6 +14,7 @@
"project_id": "45977fa2dbd7482098dd68d0d8970117",
"protocol": "tcp",
"shared": false,
"source_firewall_group_id": null,
"source_ip_address": null,
"source_port": null,
"tenant_id": "45977fa2dbd7482098dd68d0d8970117"

View File

@ -2,6 +2,7 @@
"firewall_rule": {
"action": "allow",
"description": "",
"destination_firewall_group_id": null,
"destination_ip_address": null,
"destination_port": "80",
"enabled": true,
@ -13,6 +14,7 @@
"project_id": "45977fa2dbd7482098dd68d0d8970117",
"protocol": "tcp",
"shared": true,
"source_firewall_group_id": null,
"source_ip_address": null,
"source_port": null,
"tenant_id": "45977fa2dbd7482098dd68d0d8970117"

View File

@ -3,6 +3,7 @@
{
"action": "allow",
"description": "",
"destination_firewall_group_id": null,
"destination_ip_address": null,
"destination_port": "80",
"enabled": true,
@ -14,6 +15,7 @@
"project_id": "45977fa2dbd7482098dd68d0d8970117",
"protocol": "tcp",
"shared": false,
"source_firewall_group_id": null,
"source_ip_address": null,
"source_port": null,
"tenant_id": "45977fa2dbd7482098dd68d0d8970117"

View File

@ -100,6 +100,14 @@ RESOURCE_ATTRIBUTE_MAP = {
'enabled': {'allow_post': True, 'allow_put': True,
'convert_to': converters.convert_to_boolean,
'default': True, 'is_visible': True},
'source_firewall_group_id': {'allow_post': True, 'allow_put': True,
'validate': {'type:uuid_or_none': None},
'is_visible': True, 'default': None},
'destination_firewall_group_id': {'allow_post': True,
'allow_put': True,
'validate':
{'type:uuid_or_none': None},
'is_visible': True, 'default': None},
},
api_const.FIREWALL_GROUPS: {
'id': {'allow_post': False, 'allow_put': False,

View File

@ -24,4 +24,6 @@ class FirewallDefinitionTestCase(base.DefinitionBaseTestCase):
'firewall_policy_id', 'firewall_rules',
'ingress_firewall_policy_id', 'ip_version',
'ports', 'position', 'protocol', 'shared',
'source_ip_address', 'source_port')
'source_ip_address', 'source_port',
'source_firewall_group_id',
'destination_firewall_group_id')

View File

@ -0,0 +1,8 @@
---
features:
- |
Updated fwaas API extension definition to include previously missing
ability to specify remote firewall groups for ingress and egress traffic.
When a firewall group rule specifies a remote group, for example an
ingress rule in fwgA specifies a remote group of fwgB, that means only
packets from fwgB could match this ingress rule.