318a6b606b
project_id and tenant_id field in request/response body are marked as "path" now. It should be "body". - "project_id-path" already exists and it can be used for "project_id" in URL path. - "project_id" is now used for body. - "project_id-body" is now duplicated, so it was removed. fwaas.inc is the only user of project_id-body and it is updated accordingly. - quotas.inc is updated to use 'project_id-path'. Also project_id and tenant_id in response body of a quotas operation have been dropped as they do not exist. Note that project_id/tenant_id in request body should be marked as "optional" in most resources but this patch does not touch them to avoid unnecessary merge conflicts. They will be fixed in separate patches. Change-Id: Ic5a4f55b837ee0a51b7186c3342a94c8c00f6c97 Closes-Bug: #1650174
813 lines
18 KiB
PHP
813 lines
18 KiB
PHP
==========================================================================
|
|
FWaaS v1.0 (DEPRECATED) (fw, firewalls, firewall_policies, firewall_rules)
|
|
==========================================================================
|
|
|
|
Use the Firewall-as-a-Service (FWaaS) v1.0 extension to deploy
|
|
firewalls to protect your networks.
|
|
|
|
The FWaaS extension enables you to:
|
|
|
|
- Apply firewall rules on traffic entering and leaving project
|
|
networks.
|
|
|
|
- Apply TCP, UDP, ICMP, or protocol-agnostic rules.
|
|
|
|
- Create and share firewall policies that hold an ordered collection
|
|
of the firewall rules.
|
|
|
|
- Audit firewall rules and policies.
|
|
|
|
This extension introduces these resources:
|
|
|
|
- ``firewall``. A logical firewall resource that a project can
|
|
instantiate and manage. A firewall can have one firewall policy.
|
|
|
|
- ``firewall_policy``. An ordered collection of firewall rules. You
|
|
can share a firewall policy across projects. You can include a
|
|
firewall policy as part of an audit workflow so that an
|
|
authorized relevant entity can audit the firewall policy. This
|
|
entity can differ from the user who created, or the projects
|
|
that use, the firewall policy.
|
|
|
|
- ``firewall_rule``. A collection of attributes, such as ports and
|
|
IP addresses. These attributes define match criteria and an
|
|
action to take, such as allow or deny, on matched data traffic.
|
|
|
|
List firewall policies
|
|
======================
|
|
|
|
.. rest_method:: GET /v2.0/fw/firewall_policies
|
|
|
|
Lists all firewall policies.
|
|
|
|
Use the ``fields`` query parameter to control which fields are
|
|
returned in the response body. Additionally, you can filter results
|
|
by using query string parameters. For information, see `Filtering
|
|
and Column Selection <https://wiki.openstack.org/wiki/Neutron/APIv2
|
|
-specification#Filtering_and_Column_Selection>`__.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 401, 403
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- fields: fields
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- tenant_id: project_id
|
|
- firewall_policies: firewall_policies
|
|
- audited: audited
|
|
- description: description
|
|
- firewall_rules: firewall_rules
|
|
- id: firewall_policy_id-body
|
|
- name: name
|
|
- shared: shared-response
|
|
- project_id: project_id
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policies-list-response.json
|
|
:language: javascript
|
|
|
|
Create firewall policy
|
|
======================
|
|
|
|
.. rest_method:: POST /v2.0/fw/firewall_policies
|
|
|
|
Creates a firewall policy.
|
|
|
|
Normal response codes: 201
|
|
|
|
Error response codes: 400, 401
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy: firewall_policy
|
|
- firewall_rules_id: firewall_rules_id
|
|
- name: name
|
|
- tenant_id: project_id-request
|
|
- project_id: project_id-request
|
|
- shared: shared
|
|
- audited: audited
|
|
- description: description-request
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policy-create-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy: firewall_policy
|
|
- name: name
|
|
- firewall_rules: firewall_rules
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- audited: audited
|
|
- shared: shared-response
|
|
- id: firewall_policy_id-body
|
|
- description: description
|
|
|
|
Show firewall policy details
|
|
============================
|
|
|
|
.. rest_method:: GET /v2.0/fw/firewall_policies/{firewall_policy_id}
|
|
|
|
Shows details for a firewall policy.
|
|
|
|
If the user is not an administrative user and the firewall policy
|
|
object does not belong to the project, this call returns the
|
|
``Forbidden (403)`` response code.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 401, 403, 404
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy_id: firewall_policy_id-path
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy: firewall_policy
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- audited: audited
|
|
- description: description
|
|
- firewall_rules: firewall_rules
|
|
- id: firewall_policy_id-body
|
|
- name: name
|
|
- shared: shared-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policy-show-response.json
|
|
:language: javascript
|
|
|
|
Update firewall policy
|
|
======================
|
|
|
|
.. rest_method:: PUT /v2.0/fw/firewall_policies/{firewall_policy_id}
|
|
|
|
Updates a firewall policy.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 400, 401, 404
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy_id: firewall_policy_id-path
|
|
- firewall_rule: firewall_rule
|
|
- shared: shared
|
|
- audited: audited
|
|
- description: description-request
|
|
- name: name
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policy-update-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy: firewall_policy
|
|
- project_id: project_id
|
|
- audited: audited
|
|
- description: description
|
|
- firewall_rules: firewall_rules
|
|
- id: firewall_policy_id-body
|
|
- name: name
|
|
- shared: shared-response
|
|
- tenant_id: project_id
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policy-update-response.json
|
|
:language: javascript
|
|
|
|
Delete firewall policy
|
|
======================
|
|
|
|
.. rest_method:: DELETE /v2.0/fw/firewall_policies/{firewall_policy_id}
|
|
|
|
Deletes a firewall policy.
|
|
|
|
Normal response codes: 204
|
|
|
|
Error response codes: 401, 404, 409
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy_id: firewall_policy_id-path
|
|
|
|
Response
|
|
--------
|
|
|
|
There is no body content for the response of a successful DELETE request.
|
|
|
|
Insert rule into a firewall policy
|
|
==================================
|
|
|
|
.. rest_method:: PUT /v2.0/fw/firewall_policies/{firewall_policy_id}/insert_rule
|
|
|
|
Insert firewall rule into a policy.
|
|
|
|
A firewall_rule_id is inserted relative to the position of the
|
|
firewall_rule_id set in ``insert_before`` or ``insert_after``. If
|
|
``insert_before`` is set, ``insert_after`` is ignored. If both
|
|
``insert_before`` and ``insert_after`` are not set, the new
|
|
firewall_rule_id is inserted at the top of the policy.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 400, 401, 404, 409
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy_id: firewall_policy_id-path
|
|
- firewall_rule_id: firewall_rule_id-body
|
|
- insert_after: insert_after
|
|
- insert_before: insert_before
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policy-insert-rule-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- audited: audited
|
|
- description: description
|
|
- firewall_list: firewall_list
|
|
- firewall_rules: firewall_rules
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- id: firewall_policy_id-body
|
|
- name: name
|
|
- shared: shared-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policy-insert-rule-response.json
|
|
:language: javascript
|
|
|
|
Remove rule from firewall policy
|
|
================================
|
|
|
|
.. rest_method:: PUT /v2.0/fw/firewall_policies/{firewall_policy_id}/remove_rule
|
|
|
|
Remove firewall rule from a policy.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 400, 401, 404
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_policy_id: firewall_policy_id-path
|
|
- firewall_rule_id: firewall_rule_id-body
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policy-remove-rule-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- audited: audited
|
|
- description: description
|
|
- firewall_list: firewall_list
|
|
- firewall_rules: firewall_rules
|
|
- id: firewall_id-body
|
|
- name: name
|
|
- shared: shared-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-policy-remove-rule-response.json
|
|
:language: javascript
|
|
|
|
List firewall rules
|
|
===================
|
|
|
|
.. rest_method:: GET /v2.0/fw/firewall_rules
|
|
|
|
Lists all firewall rules.
|
|
|
|
The list might be empty.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 401, 403
|
|
|
|
Request
|
|
-------
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_rule: firewall_rule
|
|
- action: action-response
|
|
- description: description
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- destination_ip_address: destination_ip_address-response
|
|
- destination_port: destination_port-response
|
|
- enabled: enabled-response
|
|
- firewall_policy_id: firewall_policy_id-body
|
|
- id: firewall_id-body
|
|
- ip_version: ip_version-response
|
|
- name: name
|
|
- position: position
|
|
- protocol: protocol-response
|
|
- shared: shared-response
|
|
- source_ip_address: source_ip_address
|
|
- source_port: source_port-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-rules-list-response.json
|
|
:language: javascript
|
|
|
|
Create firewall rule
|
|
====================
|
|
|
|
.. rest_method:: POST /v2.0/fw/firewall_rules
|
|
|
|
Creates a firewall rule.
|
|
|
|
Normal response codes: 201
|
|
|
|
Error response codes: 400, 401
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_rule: firewall_rule
|
|
- action: action
|
|
- destination_port: destination_port
|
|
- enabled: enabled
|
|
- description: description-request
|
|
- tenant_id: project_id-request
|
|
- project_id: project_id-request
|
|
- enabled: enabled
|
|
- name: name
|
|
- protocol: protocol
|
|
- ip_version: ip_version
|
|
- destination_ip_address: destination_ip_address
|
|
- source_port: source_port
|
|
- shared: shared
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-rule-create-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_rule: firewall_rule
|
|
- action: action-response
|
|
- description: description
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- destination_ip_address: destination_ip_address-response
|
|
- destination_port: destination_port-response
|
|
- enabled: enabled-response
|
|
- firewall_policy_id: firewall_policy_id-body
|
|
- id: firewall_id-body
|
|
- ip_version: ip_version-response
|
|
- name: name
|
|
- position: position
|
|
- protocol: protocol-response
|
|
- shared: shared-response
|
|
- source_ip_address: source_ip_address
|
|
- source_port: source_port-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-rule-create-response.json
|
|
:language: javascript
|
|
|
|
Show firewall rule details
|
|
==========================
|
|
|
|
.. rest_method:: GET /v2.0/fw/firewall_rules/{firewall_rule_id}
|
|
|
|
Shows details for a firewall rule.
|
|
|
|
If the user is not an administrative user and the firewall rule
|
|
object does not belong to the project, this call returns the
|
|
``Forbidden (403)`` response code.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 401, 403, 404
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_rule_id: firewall_rule_id
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_rule: firewall_rule
|
|
- action: action-response
|
|
- description: description
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- destination_ip_address: destination_ip_address-response
|
|
- destination_port: destination_port-response
|
|
- enabled: enabled-response
|
|
- firewall_policy_id: firewall_policy_id
|
|
- id: firewall_rule_id-body
|
|
- ip_version: ip_version-response
|
|
- name: name
|
|
- position: position
|
|
- protocol: protocol-response
|
|
- shared: shared-response
|
|
- source_ip_address: source_ip_address
|
|
- source_port: source_port-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-rule-show-response.json
|
|
:language: javascript
|
|
|
|
Update firewall rule
|
|
====================
|
|
|
|
.. rest_method:: PUT /v2.0/fw/firewall_rules/{firewall_rule_id}
|
|
|
|
Updates a firewall rule.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 400, 401, 404
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_rule_id: firewall_rule_id
|
|
- firewall_rule: firewall_rule
|
|
- shared: shared
|
|
- description: description-request
|
|
- tenant_id: project_id-request
|
|
- project_id: project_id-request
|
|
- enabled: enabled
|
|
- ip_version: ip_version
|
|
- destination_ip_address: destination_ip_address
|
|
- source_port: source_port
|
|
- action: action
|
|
- protocol: protocol
|
|
- destination_port: destination_port
|
|
- name: name
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-rule-update-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_rule: firewall_rule
|
|
- action: action-response
|
|
- description: description
|
|
- source_ip_address: source_ip_address
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- enabled: enabled
|
|
- protocol: protocol
|
|
- source_port: source_port
|
|
- ip_version: ip_version
|
|
- destination_ip_address: destination_ip_address-response
|
|
- destination_port: destination_port-response
|
|
- enabled: enabled-response
|
|
- firewall_policy_id: firewall_policy_id
|
|
- id: firewall_rule_id-body
|
|
- ip_version: ip_version-response
|
|
- name: name
|
|
- position: position
|
|
- protocol: protocol-response
|
|
- shared: shared-response
|
|
- source_ip_address: source_ip_address
|
|
- source_port: source_port-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-rule-update-response.json
|
|
:language: javascript
|
|
|
|
Delete firewall rule
|
|
====================
|
|
|
|
.. rest_method:: DELETE /v2.0/fw/firewall_rules/{firewall_rule_id}
|
|
|
|
Deletes a firewall rule.
|
|
|
|
Normal response codes: 204
|
|
|
|
Error response codes: 401, 404, 409
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_rule_id: firewall_rule_id
|
|
|
|
Response
|
|
--------
|
|
|
|
There is no body content for the response of a successful DELETE request.
|
|
|
|
List firewalls
|
|
==============
|
|
|
|
.. rest_method:: GET /v2.0/fw/firewalls
|
|
|
|
Lists all firewalls.
|
|
|
|
The list might be empty.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 401, 403
|
|
|
|
Request
|
|
-------
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewalls: firewalls
|
|
- admin_state_up: admin_state_up
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- description: description
|
|
- firewall_policy_id: firewall_policy_id-body
|
|
- id: firewall_id-body
|
|
- name: name
|
|
- status: firewall-status
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewalls-list-response.json
|
|
:language: javascript
|
|
|
|
Create firewall
|
|
===============
|
|
|
|
.. rest_method:: POST /v2.0/fw/firewalls
|
|
|
|
Creates a firewall.
|
|
|
|
The firewall must be associated with a firewall policy.
|
|
|
|
If ``admin_state_up`` is ``false``, the firewall would block all
|
|
traffic.
|
|
|
|
Normal response codes: 201
|
|
|
|
Error response codes: 400, 401
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall: firewall
|
|
- admin_state_up: admin_state_up
|
|
- firewall_policy_id: firewall_policy_id-body
|
|
- description: description-request
|
|
- name: name
|
|
- router_ids: router_ids
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-create-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall: firewall
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- admin_state_up: admin_state_up
|
|
- description: description
|
|
- firewall_policy_id: firewall_policy_id-body
|
|
- id: firewall_id-body
|
|
- name: name
|
|
- status: firewall-status
|
|
- router_ids: router_ids-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-create-response.json
|
|
:language: javascript
|
|
|
|
Show firewall details
|
|
=====================
|
|
|
|
.. rest_method:: GET /v2.0/fw/firewalls/{firewall_id}
|
|
|
|
Shows details for a firewall.
|
|
|
|
If the user is not an administrative user and the firewall object
|
|
does not belong to the project, this call returns the
|
|
``Forbidden (403)`` response code.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 401, 403, 404
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_id: firewall_id
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall: firewall
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- admin_state_up: admin_state_up
|
|
- description: description
|
|
- status: firewall-status
|
|
- firewall_policy_id: firewall_policy_id
|
|
- id: firewall_rule_id-body
|
|
- name: name
|
|
- router_ids: router_ids-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-show-response.json
|
|
:language: javascript
|
|
|
|
Update firewall
|
|
===============
|
|
|
|
.. rest_method:: PUT /v2.0/fw/firewalls/{firewall_id}
|
|
|
|
Updates a firewall.
|
|
|
|
To update a service, the service status cannot be a ``PENDING_*``
|
|
status.
|
|
|
|
Normal response codes: 200
|
|
|
|
Error response codes: 400, 401, 404
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_id: firewall_id
|
|
- firewall: firewall
|
|
- admin_state_up: admin_state_up
|
|
- description: description-request
|
|
- firewall_policy_id: firewall_policy_id-body
|
|
- name: name
|
|
- router_ids: router_ids
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-update-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall: firewall
|
|
- tenant_id: project_id
|
|
- project_id: project_id
|
|
- admin_state_up: admin_state_up
|
|
- description: description
|
|
- status: firewall-status
|
|
- firewall_policy_id: firewall_policy_id-body
|
|
- id: firewall_id-body
|
|
- name: name
|
|
- router_ids: router_ids-response
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: samples/firewalls/firewall-update-response.json
|
|
:language: javascript
|
|
|
|
Delete firewall
|
|
===============
|
|
|
|
.. rest_method:: DELETE /v2.0/fw/firewalls/{firewall_id}
|
|
|
|
Deletes a firewall.
|
|
|
|
Normal response codes: 204
|
|
|
|
Error response codes: 401, 404, 409
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- firewall_id: firewall_id
|
|
|
|
Response
|
|
--------
|
|
|
|
There is no body content for the response of a successful DELETE request.
|