FWaaS Group Ordering Spec

Change-Id: I9a2a6d59d6c446f42189f90bb8c79223d8874670

specs/zed/fwaas-group-ordering.rst

@@ -0,0 +1,60 @@
+..
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
+ License.
+
+ http://creativecommons.org/licenses/by/3.0/legalcode
+
+===========================================
+Firewall Group Ordering on Port Association
+===========================================
+
+https://bugs.launchpad.net/neutron/+bug/1979816
+
+Currently, packets will sometimes be passed, and other times be blocked,
+depending on the ordering of groups applied to a port. This is contrary
+to the existing FWaaS spec, which states that a packet will be allowed so long
+as any group on the port would allow the packet.
+
+Problem Description
+===================
+
+Refer to the linked RFE.
+
+Proposed Change
+===============
+
+Similar to `firewall_policy_rule_associations_v2`, the
+`firewall_group_port_associations_v2` table should have a required
+`position` column to maintain the order in which `firewall groups` are
+applied to ports.
+
+In addition, modification of this ordering should be limited by user role.
+For example, an openstack administrator may want a particular group to always be
+applied first or last, regardless of which groups are added to a port by a tenant.
+In iptables, this is typically referred to as `Head` and `Tail` rules. All `Head`
+groups should be applied first, in order. All `Tail` groups should be applied last,
+in order. All other groups would be applied in between, again, in order. Only
+openstack administrators should have access to the `Head` and `Tail` tiers.
+
+Ex.
+
++--------------------------------------+--------------------------------------+----------+----------+
+| firewall_group_id                    | port_id                              | position | tier     |
++--------------------------------------+--------------------------------------+----------+----------+
+| da4be831-907b-43d9-86e0-b14a3bd391fc | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |        1 | head     |
++--------------------------------------+--------------------------------------+----------+----------+
+| 0814e179-d2be-464a-a9d4-e13c94451532 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |        2 | head     |
++--------------------------------------+--------------------------------------+----------+----------+
+| 33ce9937-d9db-48b8-a65d-05fa3a75844a | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |        1 | null     |
++--------------------------------------+--------------------------------------+----------+----------+
+| 6b3172af-9ae0-40e4-b455-c70de7c80c24 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |        2 | null     |
++--------------------------------------+--------------------------------------+----------+----------+
+| 70a7087e-c6ae-4cef-9b30-35e702746b68 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |        1 | tail     |
++--------------------------------------+--------------------------------------+----------+----------+
+| ff1e5eda-c285-4ec2-80f8-49f1a6d77347 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |        2 | tail     |
++--------------------------------------+--------------------------------------+----------+----------+
+
+References
+==========
+
+https://etherpad.opendev.org/p/fwaas-api-evolution-spec