From 5b80f9266879159b5b85d757993409402ff76b68 Mon Sep 17 00:00:00 2001 From: Anthony Timmins Date: Fri, 29 Jul 2022 15:20:10 -0400 Subject: [PATCH] FWaaS Group Ordering Spec Change-Id: I9a2a6d59d6c446f42189f90bb8c79223d8874670 --- specs/zed/fwaas-group-ordering.rst | 60 ++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 specs/zed/fwaas-group-ordering.rst diff --git a/specs/zed/fwaas-group-ordering.rst b/specs/zed/fwaas-group-ordering.rst new file mode 100644 index 000000000..d5d8070ca --- /dev/null +++ b/specs/zed/fwaas-group-ordering.rst @@ -0,0 +1,60 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +=========================================== +Firewall Group Ordering on Port Association +=========================================== + +https://bugs.launchpad.net/neutron/+bug/1979816 + +Currently, packets will sometimes be passed, and other times be blocked, +depending on the ordering of groups applied to a port. This is contrary +to the existing FWaaS spec, which states that a packet will be allowed so long +as any group on the port would allow the packet. + +Problem Description +=================== + +Refer to the linked RFE. + +Proposed Change +=============== + +Similar to `firewall_policy_rule_associations_v2`, the +`firewall_group_port_associations_v2` table should have a required +`position` column to maintain the order in which `firewall groups` are +applied to ports. + +In addition, modification of this ordering should be limited by user role. +For example, an openstack administrator may want a particular group to always be +applied first or last, regardless of which groups are added to a port by a tenant. +In iptables, this is typically referred to as `Head` and `Tail` rules. All `Head` +groups should be applied first, in order. All `Tail` groups should be applied last, +in order. All other groups would be applied in between, again, in order. Only +openstack administrators should have access to the `Head` and `Tail` tiers. + +Ex. + ++--------------------------------------+--------------------------------------+----------+----------+ +| firewall_group_id | port_id | position | tier | ++--------------------------------------+--------------------------------------+----------+----------+ +| da4be831-907b-43d9-86e0-b14a3bd391fc | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c | 1 | head | ++--------------------------------------+--------------------------------------+----------+----------+ +| 0814e179-d2be-464a-a9d4-e13c94451532 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c | 2 | head | ++--------------------------------------+--------------------------------------+----------+----------+ +| 33ce9937-d9db-48b8-a65d-05fa3a75844a | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c | 1 | null | ++--------------------------------------+--------------------------------------+----------+----------+ +| 6b3172af-9ae0-40e4-b455-c70de7c80c24 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c | 2 | null | ++--------------------------------------+--------------------------------------+----------+----------+ +| 70a7087e-c6ae-4cef-9b30-35e702746b68 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c | 1 | tail | ++--------------------------------------+--------------------------------------+----------+----------+ +| ff1e5eda-c285-4ec2-80f8-49f1a6d77347 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c | 2 | tail | ++--------------------------------------+--------------------------------------+----------+----------+ + +References +========== + +https://etherpad.opendev.org/p/fwaas-api-evolution-spec