Browse Source

Merge "fwaas 2.0 address groups support"

Zuul 9 months ago
parent
commit
86566de1de
1 changed files with 954 additions and 0 deletions
  1. 954
    0
      specs/rocky/fwaas-2.0-address-groups-support.rst

+ 954
- 0
specs/rocky/fwaas-2.0-address-groups-support.rst View File

@@ -0,0 +1,954 @@
1
+..
2
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
3
+ License.
4
+
5
+ http://creativecommons.org/licenses/by/3.0/legalcode
6
+
7
+===============================================================
8
+Firewall as a Service API 2.0 Address Groups Support
9
+===============================================================
10
+
11
+**Launchpad blueprint:**
12
+
13
+| https://blueprints.launchpad.net/neutron/+spec/fwaas-2.0-address-groups
14
+
15
+This bp introduces a enhancement to Firewall as a Service(FWaaS) API 2.0
16
+for supporting address groups. This feature has been proposed in
17
+fwaas-api-2.0 but still not implemented.
18
+
19
+Problem Description
20
+===================
21
+
22
+In actual use of firewall groups, each IP or subnet requires a
23
+corresponding firewall rule. When there are a large number of instances,
24
+a large number of firewall rules are generated and it is difficult to
25
+maintain and manage them.
26
+
27
+
28
+Proposed Change
29
+===============
30
+
31
+Add address group functions to a firewall group. By aggregating multiple
32
+address objects into address groups and using address groups instead of
33
+the original cidr to generate firewall rules, the number of firewall rules
34
+can be effectively reduced.
35
+
36
+
37
+REST API Impact
38
+---------------
39
+
40
+Firewall Address Groups
41
+~~~~~~~~~~~~~~~~~~~~~~~~
42
+
43
++-------------------+---------+-------+------+---------------------------------------+
44
+| Attribute         | Type    | Req   | CRUD | Description                           |
45
++===================+=========+=======+======+=======================================+
46
+| id                | uuid-str| N/A   | R    | Unique identifier for the             |
47
+|                   |         |       |      | address_group object.                 |
48
++-------------------+---------+-------+------+---------------------------------------+
49
+| name              | String  | No    | CRU  | Human readable name for the address   |
50
+|                   |         |       |      | group (255 characters limit). Does not|
51
+|                   |         |       |      | have to be unique.                    |
52
++-------------------+---------+-------+------+---------------------------------------+
53
+| description       | String  | No    | CRU  | Human readable description for the    |
54
+|                   |         |       |      | address group (255 characters limit). |
55
++-------------------+---------+-------+------+---------------------------------------+
56
+| project_id        | uuid-str| No    | CR   | Owner of the address group. Only      |
57
+|                   |         |       |      | admin users can specify a project     |
58
+|                   |         |       |      | identifier other than their own.      |
59
++-------------------+---------+-------+------+---------------------------------------+
60
+| addresses         | List    | Yes   | CRU  | Array of key-value pairs of address   |
61
+|                   |         |       |      | and ip version. It supports both CIDR |
62
+|                   |         |       |      | and IP range objects. Attributes of   |
63
+|                   |         |       |      | CIDR and IP range objects:            |
64
+|                   |         |       |      | "address": <CIDR or IP range>         |
65
+|                   |         |       |      | "ip_version": 4 or 6(Integer value)   |
66
+|                   |         |       |      | An example of addresses:              |
67
+|                   |         |       |      | [{"address": "132.168.4.12/24",       |
68
+|                   |         |       |      | "ip_version": 4}]                     |
69
++-------------------+---------+-------+------+---------------------------------------+
70
+
71
+|
72
+
73
+Firewall Rules
74
+~~~~~~~~~~~~~~
75
+
76
+Note that as with FWaaS 1.0, in FWaaS 2.0 firewall rules always use stateful connection
77
+tracking.
78
+
79
++------------------------+------------+-----+------+---------------------------------------+
80
+| Attribute              | Type       | Req | CRUD |  Description                          |
81
++========================+============+=====+======+=======================================+
82
+| id                     | uuid-str   | N/A | R    | Unique identifier for the firewall    |
83
+|                        |            |     |      | rule object.                          |
84
++------------------------+------------+-----+------+---------------------------------------+
85
+| project_id             | uuid-str   | No  | CR   | Owner of the firewall rule. Only      |
86
+|                        |            |     |      | admin users can specify a project     |
87
+|                        |            |     |      | identifier other than their own.      |
88
++------------------------+------------+-----+------+---------------------------------------+
89
+| name                   | String     | No  | CRU  | Human readable name for the firewall  |
90
+|                        |            |     |      | rule (255 characters limit). Does     |
91
+|                        |            |     |      | not have to be unique.                |
92
++------------------------+------------+-----+------+---------------------------------------+
93
+| description            | String     | No  | CRU  | Human readable description for the    |
94
+|                        |            |     |      | firewall Rule (255 characters limit). |
95
++------------------------+------------+-----+------+---------------------------------------+
96
+| shared                 | Bool       | No  | CRU  | When set to True makes this firewall  |
97
+|                        |            |     |      | rule visible to projects other than   |
98
+|                        |            |     |      | its owner, and can be used in         |
99
+|                        |            |     |      | firewall policies not owned by its    |
100
+|                        |            |     |      | project.                              |
101
++------------------------+------------+-----+------+---------------------------------------+
102
+| protocol               | String     | No  | CRU  | IP Protocol.                          |
103
++------------------------+------------+-----+------+---------------------------------------+
104
+| source_port            | port-range | No  | CRU  | Source port number or a range (an     |
105
+|                        |            |     |      | int in [1, 65535] or range in a:b).   |
106
++------------------------+------------+-----+------+---------------------------------------+
107
+| destination_port       | port-range | No  | CRU  | Destination port number or a range (  |
108
+|                        |            |     |      | an int in [1, 65535] or range in a:b).|
109
++------------------------+------------+-----+------+---------------------------------------+
110
+| ip_version             | Integer    | No  | CRU  | IP Protocol Version.                  |
111
++------------------------+------------+-----+------+---------------------------------------+
112
+| source_ip_address      | String     | No  | CRU  | Source IP address or CIDR.            |
113
++------------------------+------------+-----+------+---------------------------------------+
114
+| destination_ip_address | String     | No  | CRU  | Destination IP address or CIDR.       |
115
++------------------------+------------+-----+------+---------------------------------------+
116
+| source_address         | List       | No  | CRU  | This is a list of source address      |
117
+| _group_ids             |            |     |      | groups. When they are specified, they |
118
+|                        |            |     |      | are matched when the source IP address|
119
+|                        |            |     |      | in the packet matches one of the IP   |
120
+|                        |            |     |      | addresses in one of the address       |
121
+|                        |            |     |      | groups.                               |
122
++------------------------+------------+-----+------+---------------------------------------+
123
+| destination_address    | List       | No  | CRU  | This is a list of destination address |
124
+| _group_ids             |            |     |      | groups. When they are specified, they |
125
+|                        |            |     |      | are matched when the destination IP   |
126
+|                        |            |     |      | address in the packet matches one of  |
127
+|                        |            |     |      | the IP addresses in one of the address|
128
+|                        |            |     |      | groups.                               |
129
++------------------------+------------+-----+------+---------------------------------------+
130
+| action                 | String     | No  | CRU  | Action to be performed on the         |
131
+|                        |            |     |      | traffic matching the rule (ALLOW,     |
132
+|                        |            |     |      | DENY, REJECT). Default: DENY.         |
133
++------------------------+------------+-----+------+---------------------------------------+
134
+| enabled                | Bool       | No  | CRU  | When set to False will disable this   |
135
+|                        |            |     |      | rule in the firewall policy.          |
136
+|                        |            |     |      | Facilitates selectively turning off   |
137
+|                        |            |     |      | rules without having to disassociate  |
138
+|                        |            |     |      | the rule from the firewall policy.    |
139
+|                        |            |     |      | Default: True.                        |
140
++------------------------+------------+-----+------+---------------------------------------+
141
+
142
+|
143
+
144
+Note: At most one of source_ip_address, source_address_group_ids and
145
+source_firewall_group_id can be specified.  The rule is matched when the
146
+source IP address in the packet matches any one of: source_ip_address,
147
+one of the IP addresses in the address group, or an IP address of one
148
+of the ports in the firewall group. If you want it to match any packet,
149
+set the source or destination to 0.0.0.0/0 or ::/0. The same applies to
150
+destination_ip_address, destination_address_group_ids, and destination
151
+_firewall_group_id, with respect to the destination IP address in the
152
+packet.
153
+
154
+
155
+List address groups
156
+^^^^^^^^^^^^^^^^^^^^^
157
+
158
+Lists address groups.
159
+
160
+    +----------------+------------------------------------------------+
161
+    | Request Type   | ``GET``                                        |
162
+    +----------------+------------------------------------------------+
163
+    | Endpoint       | ``/v2.0/fwaas/address_groups``                 |
164
+    +----------------+---------+--------------------------------------+
165
+    |                | Success | 200                                  |
166
+    | Response Codes +---------+--------------------------------------+
167
+    |                | Error   | Unauthorized(401)                    |
168
+    +----------------+---------+--------------------------------------+
169
+
170
+|
171
+
172
+**Example List address groups: JSON request**
173
+
174
+.. code::
175
+
176
+    GET /v2.0/fwaas/address_groups.json
177
+    User-Agent: python-neutronclient
178
+    Accept: application/json
179
+
180
+**Example List address groups: JSON response**
181
+
182
+
183
+.. code::
184
+
185
+    {
186
+        "address_groups": [
187
+            {
188
+                "description": "",
189
+                "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
190
+                "name": "ADDR_GP_1",
191
+                "project_id": "45977fa2dbd7482098dd68d0d8970117",
192
+                "addresses": [
193
+                   {"address": "132.168.4.12/24", "ip_version": 4},
194
+                   {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
195
+                   {"address": "2001::db8::f00/64", "ip_version": 6}
196
+                ]
197
+            }
198
+        ]
199
+    }
200
+
201
+Show address group details
202
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
203
+
204
+Shows address group details.
205
+
206
+    +----------------+----------------------------------------------------+
207
+    | Request Type   | ``GET``                                            |
208
+    +----------------+----------------------------------------------------+
209
+    | Endpoint       | ``/v2.0/fwaas/address_groups/<address_group_id>``  |
210
+    +----------------+---------+------------------------------------------+
211
+    |                | Success | 200                                      |
212
+    | Response Codes +---------+------------------------------------------+
213
+    |                | Error   | Unauthorized(401), Not Found (404)       |
214
+    +----------------+---------+------------------------------------------+
215
+
216
+|
217
+
218
+**Example Show address group: JSON request**
219
+
220
+.. code::
221
+
222
+    GET /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
223
+    User-Agent: python-neutronclient
224
+    Accept: application/json
225
+
226
+
227
+**Example Show address group: JSON response**
228
+
229
+.. code::
230
+
231
+    {
232
+       "address_group": {
233
+            "description": "",
234
+            "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
235
+            "name": "ADDR_GP_1",
236
+            "project_id": "45977fa2dbd7482098dd68d0d8970117",
237
+            "addresses": [
238
+               {"address": "132.168.4.12/24", "ip_version": 4},
239
+               {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
240
+               {"address": "2001::db8::f00/64", "ip_version": 6}
241
+            ]
242
+        }
243
+    }
244
+
245
+
246
+
247
+Create address group
248
+^^^^^^^^^^^^^^^^^^^^^
249
+
250
+Creates an address group.
251
+
252
+    +----------------+------------------------------------------------+
253
+    | Request Type   | ``POST``                                       |
254
+    +----------------+------------------------------------------------+
255
+    | Endpoint       | ``/v2.0/fwaas/address_groups/``                |
256
+    +----------------+---------+--------------------------------------+
257
+    |                | Success | 201                                  |
258
+    | Response Codes +---------+--------------------------------------+
259
+    |                | Error   | Unauthorized(401), Bad Request(400)  |
260
+    +----------------+---------+--------------------------------------+
261
+
262
+|
263
+
264
+**Example Create address group: JSON request**
265
+
266
+.. code::
267
+
268
+    POST /v2.0/fwaas/address_groups.json
269
+    User-Agent: python-neutronclient
270
+    Accept: application/json
271
+
272
+.. code::
273
+
274
+    {
275
+        "address_group": {
276
+            "name": "ADDR_GP_1",
277
+            "addresses": [
278
+               {"address": "132.168.4.12/24", "ip_version": 4},
279
+               {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
280
+               {"address": "2001::db8::f00/64", "ip_version": 6}
281
+            ]
282
+        }
283
+    }
284
+
285
+**Example Create address group: JSON response**
286
+
287
+.. code::
288
+
289
+    HTTP/1.1 201 Created
290
+    Content-Type: application/json; charset=UTF-8
291
+
292
+.. code::
293
+
294
+    {
295
+       "address_group": {
296
+            "description": "",
297
+            "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
298
+            "name": "ADDR_GP_1",
299
+            "project_id": "45977fa2dbd7482098dd68d0d8970117",
300
+            "addresses": [
301
+               {"address": "132.168.4.12/24", "ip_version": 4},
302
+               {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
303
+               {"address": "2001::db8::f00/64", "ip_version": 6}
304
+            ]
305
+        }
306
+    }
307
+
308
+
309
+Update address group
310
+^^^^^^^^^^^^^^^^^^^^^
311
+
312
+Updates an address group.
313
+
314
+    +----------------+----------------------------------------------------+
315
+    | Request Type   | ``PUT``                                            |
316
+    +----------------+----------------------------------------------------+
317
+    | Endpoint       | ``/v2.0/fwaas/address_groups/<address_group_id>``  |
318
+    +----------------+---------+------------------------------------------+
319
+    |                | Success | 200                                      |
320
+    | Response Codes +---------+------------------------------------------+
321
+    |                | Error   | Unauthorized(401), Bad Request(400) \    |
322
+    |                |         | Not Found(404)                           |
323
+    +----------------+---------+------------------------------------------+
324
+
325
+|
326
+
327
+**Example Update address group: JSON request**
328
+
329
+.. code::
330
+
331
+    PUT /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
332
+    User-Agent: python-neutronclient
333
+    Accept: application/json
334
+
335
+.. code::
336
+
337
+    {
338
+        "address_group": {
339
+            "addresses": [
340
+               {"address": "132.168.4.12/24", "ip_version": 4},
341
+               {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
342
+               {"address": "2001::db8::f00/64", "ip_version": 6}
343
+            ]
344
+        }
345
+    }
346
+
347
+
348
+**Example Update address group: JSON response**
349
+
350
+.. code::
351
+
352
+    HTTP/1.1 200 OK
353
+    Content-Type: application/json; charset=UTF-8
354
+
355
+.. code::
356
+
357
+    {
358
+       "address_group": {
359
+            "description": "",
360
+            "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
361
+            "name": "ADDR_GP_1",
362
+            "project_id": "45977fa2dbd7482098dd68d0d8970117",
363
+            "addresses": [
364
+               {"address": "132.168.4.12/24", "ip_version": 4},
365
+               {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
366
+               {"address": "2001::db8::f00/64", "ip_version": 6}
367
+            ]
368
+        }
369
+    }
370
+
371
+
372
+Delete address group
373
+^^^^^^^^^^^^^^^^^^^^^
374
+
375
+Deletes an address group.
376
+
377
+This operation does not return a response body.
378
+
379
+    +----------------+----------------------------------------------------+
380
+    | Request Type   | ``DELETE``                                         |
381
+    +----------------+----------------------------------------------------+
382
+    | Endpoint       | ``/v2.0/fwaas/address_groups/<address_group_id>``  |
383
+    +----------------+---------+------------------------------------------+
384
+    |                | Success | 204                                      |
385
+    | Response Codes +---------+------------------------------------------+
386
+    |                | Error   | Unauthorized(401), Not Found(404)        |
387
+    |                |         | Conflict(409) The Conflict error response|
388
+    |                |         | is returned when an operation is         |
389
+    |                |         | performed while address group is in use. |
390
+    +----------------+---------+------------------------------------------+
391
+
392
+|
393
+
394
+**Example Delete address group: JSON request**
395
+
396
+.. code::
397
+
398
+    DELETE /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
399
+    User-Agent: python-neutronclient
400
+    Accept: application/json
401
+
402
+**Example Delete address group: JSON response**
403
+
404
+.. code::
405
+
406
+    HTTP/1.1 204 No Content
407
+    Content-Length: 0
408
+
409
+
410
+List firewall rules
411
+^^^^^^^^^^^^^^^^^^^^
412
+
413
+Lists firewall rules.
414
+
415
+    +----------------+------------------------------------------------+
416
+    | Request Type   | ``GET``                                        |
417
+    +----------------+------------------------------------------------+
418
+    | Endpoint       | ``/v2.0/fwaas/firewall_rules``                 |
419
+    +----------------+---------+--------------------------------------+
420
+    |                | Success | 200                                  |
421
+    | Response Codes +---------+--------------------------------------+
422
+    |                | Error   | Unauthorized(401)                    |
423
+    +----------------+---------+--------------------------------------+
424
+
425
+|
426
+
427
+**Example List firewall rules: JSON request**
428
+
429
+.. code::
430
+
431
+    GET /v2.0/fwaas/firewall_rules.json
432
+    User-Agent: python-neutronclient
433
+    Accept: application/json
434
+
435
+
436
+
437
+**Example List firewall rules: JSON response**
438
+
439
+
440
+.. code::
441
+
442
+    {
443
+        "firewall_rules": [
444
+            {
445
+                "action": "ALLOW",
446
+                "description": "",
447
+                "enabled": true,
448
+                "firewall_policy_id": "56632e51-d2aa-4b79-9fd4-45f51088c4ed",
449
+                "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
450
+                "name": "ALLOW_HTTP",
451
+                "position": 1,
452
+                "shared": false,
453
+                "protocol": "tcp",
454
+                "source_port": null,
455
+                "destination_port": "80",
456
+                "ip_version": 4,
457
+                "source_ip_address": null,
458
+                "destination_ip_address": null
459
+                "source_address_group_ids": [],
460
+                "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
461
+                "project_id": "45977fa2dbd7482098dd68d0d8970117"
462
+            }
463
+        ]
464
+    }
465
+
466
+Show firewall rule details
467
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
468
+
469
+Shows firewall rule details.
470
+
471
+    +----------------+----------------------------------------------------+
472
+    | Request Type   | ``GET``                                            |
473
+    +----------------+----------------------------------------------------+
474
+    | Endpoint       | ``/v2.0/fwaas/firewall_rules/<firewall_rule_id>``  |
475
+    +----------------+---------+------------------------------------------+
476
+    |                | Success | 200                                      |
477
+    | Response Codes +---------+------------------------------------------+
478
+    |                | Error   | Unauthorized(401), Not Found (404)       |
479
+    +----------------+---------+------------------------------------------+
480
+
481
+|
482
+
483
+**Example Show firewall rule: JSON request**
484
+
485
+.. code::
486
+
487
+    GET /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
488
+    User-Agent: python-neutronclient
489
+    Accept: application/json
490
+
491
+
492
+**Example Show firewall rule: JSON response**
493
+
494
+.. code::
495
+
496
+    {
497
+        "firewall_rule": {
498
+            "action": "ALLOW",
499
+            "description": "",
500
+            "enabled": true,
501
+            "firewall_policy_id": "56632e51-d2aa-4b79-9fd4-45f51088c4ed",
502
+            "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
503
+            "name": "ALLOW_HTTP",
504
+            "position": 1,
505
+            "shared": false,
506
+            "protocol": "tcp",
507
+            "source_port": null,
508
+            "destination_port": "80",
509
+            "ip_version": 4,
510
+            "source_ip_address": null,
511
+            "destination_ip_address": null,
512
+            "source_address_group_ids": [],
513
+            "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
514
+            "project_id": "45977fa2dbd7482098dd68d0d8970117"
515
+        }
516
+    }
517
+
518
+
519
+
520
+Create firewall rule
521
+^^^^^^^^^^^^^^^^^^^^^
522
+
523
+Creates a firewall rule.
524
+
525
+    +----------------+------------------------------------------------+
526
+    | Request Type   | ``POST``                                       |
527
+    +----------------+------------------------------------------------+
528
+    | Endpoint       | ``/v2.0/fwaas/firewall_rules/``                |
529
+    +----------------+---------+--------------------------------------+
530
+    |                | Success | 201                                  |
531
+    | Response Codes +---------+--------------------------------------+
532
+    |                | Error   | Unauthorized(401), Bad Request(400)  |
533
+    +----------------+---------+--------------------------------------+
534
+
535
+|
536
+
537
+**Example Create firewall rule: JSON request**
538
+
539
+.. code::
540
+
541
+    POST /v2.0/fwaas/firewall_rules.json
542
+    User-Agent: python-neutronclient
543
+    Accept: application/json
544
+
545
+.. code::
546
+
547
+    {
548
+        "firewall_rule": {
549
+            "action": "ALLOW",
550
+            "enabled": true,
551
+            "name": "ALLOW_HTTP",
552
+            "protocol": "tcp",
553
+            "source_port": null,
554
+            "destination_port": "80",
555
+            "source_ip_address": null,
556
+            "destination_ip_address": null,
557
+            "source_address_group_ids": [],
558
+            "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"]
559
+        }
560
+    }
561
+
562
+**Example Create firewall rule: JSON response**
563
+
564
+.. code::
565
+
566
+    HTTP/1.1 201 Created
567
+    Content-Type: application/json; charset=UTF-8
568
+
569
+.. code::
570
+
571
+    {
572
+        "firewall_rule": {
573
+            "action": "ALLOW",
574
+            "description": "",
575
+            "enabled": true,
576
+            "firewall_policy_id": null,
577
+            "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
578
+            "name": "ALLOW_HTTP",
579
+            "position": 1,
580
+            "shared": false,
581
+            "protocol": "tcp",
582
+            "source_port": null,
583
+            "destination_port": "80",
584
+            "ip_version": 4,
585
+            "source_ip_address": null,
586
+            "destination_ip_address": null,
587
+            "source_address_group_ids": [],
588
+            "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
589
+            "project_id": "45977fa2dbd7482098dd68d0d8970117"
590
+        }
591
+    }
592
+
593
+
594
+Update firewall rule
595
+^^^^^^^^^^^^^^^^^^^^^
596
+
597
+Updates a firewall rule.
598
+
599
+    +----------------+----------------------------------------------------+
600
+    | Request Type   | ``PUT``                                            |
601
+    +----------------+----------------------------------------------------+
602
+    | Endpoint       | ``/v2.0/fwaas/firewall_rules/<firewall_rule_id>``  |
603
+    +----------------+---------+------------------------------------------+
604
+    |                | Success | 200                                      |
605
+    | Response Codes +---------+------------------------------------------+
606
+    |                | Error   | Unauthorized(401), Bad Request(400) \    |
607
+    |                |         | Not Found(404)                           |
608
+    +----------------+---------+------------------------------------------+
609
+
610
+|
611
+
612
+**Example Update firewall rule: JSON request**
613
+
614
+.. code::
615
+
616
+    PUT /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
617
+    User-Agent: python-neutronclient
618
+    Accept: application/json
619
+
620
+.. code::
621
+
622
+    {
623
+        "firewall_rule": {
624
+            "shared": "true"
625
+        }
626
+    }
627
+
628
+**Example Update firewall rule: JSON response**
629
+
630
+.. code::
631
+
632
+    HTTP/1.1 200 OK
633
+    Content-Type: application/json; charset=UTF-8
634
+
635
+.. code::
636
+
637
+
638
+    {
639
+        "firewall_rule": {
640
+            "action": "ALLOW",
641
+            "description": "",
642
+            "enabled": true,
643
+            "firewall_policy_id": null,
644
+            "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
645
+            "name": "ALLOW_HTTP",
646
+            "position": 1,
647
+            "shared": true,
648
+            "protocol": "tcp",
649
+            "source_port": null,
650
+            "destination_port": "80",
651
+            "ip_version": 4,
652
+            "source_ip_address": null,
653
+            "destination_ip_address": null,
654
+            "source_address_group_ids": [],
655
+            "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
656
+            "project_id": "45977fa2dbd7482098dd68d0d8970117"
657
+        }
658
+    }
659
+
660
+
661
+|
662
+
663
+Delete firewall rule
664
+^^^^^^^^^^^^^^^^^^^^^
665
+
666
+Deletes a firewall rule.
667
+
668
+This operation does not return a response body.
669
+
670
+    +----------------+----------------------------------------------------+
671
+    | Request Type   | ``DELETE``                                         |
672
+    +----------------+----------------------------------------------------+
673
+    | Endpoint       | ``/v2.0/fwaas/firewall_rules/<firewall_rule_id>``  |
674
+    +----------------+---------+------------------------------------------+
675
+    |                | Success | 204                                      |
676
+    | Response Codes +---------+------------------------------------------+
677
+    |                | Error   | Unauthorized(401), Not Found(404)        |
678
+    |                |         | Conflict(409) The Conflict error response|
679
+    |                |         | is returned when an operation is         |
680
+    |                |         | performed while firewall rule is in use. |
681
+    +----------------+---------+------------------------------------------+
682
+
683
+|
684
+
685
+**Example Delete firewall rule: JSON request**
686
+
687
+.. code::
688
+
689
+    DELETE /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
690
+    User-Agent: python-neutronclient
691
+    Accept: application/json
692
+
693
+
694
+
695
+**Example Delete firewall rule: JSON response**
696
+
697
+.. code::
698
+
699
+    HTTP/1.1 204 No Content
700
+    Content-Length: 0
701
+
702
+
703
+
704
+Data Model Impact
705
+------------------
706
+
707
+The following are the backend database tables for the REST API proposed above.
708
+
709
+|
710
+| **Firewall Address Groups**
711
+
712
+
713
++-------------------+---------+-------+------+----------------------------------------+
714
+| Attribute         | Type    | Req   | CRUD | Description                            |
715
++===================+=========+=======+======+========================================+
716
+| id                | uuid-str| N/A   | R    | Unique identifier for the              |
717
+|                   |         |       |      | address_group object.                  |
718
++-------------------+---------+-------+------+----------------------------------------+
719
+| name              | String  | No    | CRU  | Human readable name for the address    |
720
+|                   |         |       |      | group (255 characters limit). Does not |
721
+|                   |         |       |      | have to be unique.                     |
722
++-------------------+---------+-------+------+----------------------------------------+
723
+| description       | String  | No    | CRU  | Human readable description for the     |
724
+|                   |         |       |      | address group (255 characters limit).  |
725
++-------------------+---------+-------+------+----------------------------------------+
726
+| project_id        | uuid-str| Yes   | CR   | Owner of the address group. Only       |
727
+|                   |         |       |      | admin users can specify a project      |
728
+|                   |         |       |      | identifier other than their own.       |
729
++-------------------+---------+-------+------+----------------------------------------+
730
+
731
+
732
+|
733
+| **Firewall Address Group Address associations**
734
+
735
++-------------------+---------+-------+------+----------------------------------------+
736
+| Attribute         | Type    | Req   | CRUD | Description                            |
737
++===================+=========+=======+======+========================================+
738
+| id                | uuid-str| N/A   | R    | Unique identifier for the              |
739
+|                   |         |       |      | address_group object.                  |
740
++-------------------+---------+-------+------+----------------------------------------+
741
+| firewall_address  | uuid-str| No    | CRU  | UUID of firewall address group.        |
742
+| _group_id         |         |       |      |                                        |
743
++-------------------+---------+-------+------+----------------------------------------+
744
+| address           | String  | No    | CRU  | Address that has to be associated to   |
745
+|                   |         |       |      | the firewall address group.            |
746
++-------------------+---------+-------+------+----------------------------------------+
747
+| ip_version        | Integer | No    | CRU  | IP Protocol Version of the address.    |
748
++-------------------+---------+-------+------+----------------------------------------+
749
+
750
+
751
+
752
+|
753
+| **Firewall Rules**
754
+
755
+
756
++------------------------+------------+-----+------+---------------------------------------+
757
+| Attribute              | Type       | Req | CRUD |  Description                          |
758
++========================+============+=====+======+=======================================+
759
+| id                     | uuid-str   | N/A | R    | Unique identifier for the firewall    |
760
+|                        |            |     |      | rule object.                          |
761
++------------------------+------------+-----+------+---------------------------------------+
762
+| project_id             | uuid-str   | Yes | CR   | Owner of the firewall rule. Only      |
763
+|                        |            |     |      | admin users can specify a project     |
764
+|                        |            |     |      | identifier other than their own.      |
765
++------------------------+------------+-----+------+---------------------------------------+
766
+| name                   | String     | No  | CRU  | Human readable name for the firewall  |
767
+|                        |            |     |      | rule (255 characters limit). Does     |
768
+|                        |            |     |      | not have to be unique.                |
769
++------------------------+------------+-----+------+---------------------------------------+
770
+| description            | String     | No  | CRU  | Human readable description for the    |
771
+|                        |            |     |      | firewall Rule (255 characters limit). |
772
++------------------------+------------+-----+------+---------------------------------------+
773
+| shared                 | Bool       | No  | CRU  | When set to True makes this firewall  |
774
+|                        |            |     |      | rule visible to projects other than   |
775
+|                        |            |     |      | its owner, and can be used in         |
776
+|                        |            |     |      | firewall policies not owned by its    |
777
+|                        |            |     |      | project.                              |
778
++------------------------+------------+-----+------+---------------------------------------+
779
+| protocol               | String     | No  | CRU  | IP Protocol.                          |
780
++------------------------+------------+-----+------+---------------------------------------+
781
+| source_port            | port-range | No  | CRU  | Source port number or a range (an     |
782
+|                        |            |     |      | int in [1, 65535] or range in a:b).   |
783
++------------------------+------------+-----+------+---------------------------------------+
784
+| destination_port       | port-range | No  | CRU  | Destination port number or a range (  |
785
+|                        |            |     |      | an int in [1, 65535] or range in a:b).|
786
++------------------------+------------+-----+------+---------------------------------------+
787
+| ip_version             | Integer    | No  | CRU  | IP Protocol Version.                  |
788
++------------------------+------------+-----+------+---------------------------------------+
789
+| source_ip_address      | String     | No  | CRU  | Source IP address or CIDR.            |
790
++------------------------+------------+-----+------+---------------------------------------+
791
+| destination_ip_address | String     | No  | CRU  | Destination IP address or CIDR.       |
792
++------------------------+------------+-----+------+---------------------------------------+
793
+| source_address         | List       | No  | CRU  | When a source_address_group is        |
794
+| _group_ids             |            |     |      | specified, it is matched when the     |
795
+|                        |            |     |      | source IP address in the packet       |
796
+|                        |            |     |      | matches one of the IP addresses in    |
797
+|                        |            |     |      | the address group.                    |
798
++------------------------+------------+-----+------+---------------------------------------+
799
+| destination_address    | List       | No  | CRU  | When a destination_address_group is   |
800
+| _group_ids             |            |     |      | specified, it is matched when the     |
801
+|                        |            |     |      | destination IP address in the packet  |
802
+|                        |            |     |      | matches one of the IP addresses in the|
803
+|                        |            |     |      | address group.                        |
804
++------------------------+------------+-----+------+---------------------------------------+
805
+| action                 | String     | No  | CRU  | Action to be performed on the         |
806
+|                        |            |     |      | traffic matching the rule (ALLOW,     |
807
+|                        |            |     |      | DENY, REJECT). Default: DENY.         |
808
++------------------------+------------+-----+------+---------------------------------------+
809
+| enabled                | Bool       | No  | CRU  | When set to False will disable this   |
810
+|                        |            |     |      | rule in the firewall policy.          |
811
+|                        |            |     |      | Facilitates selectively turning off   |
812
+|                        |            |     |      | rules without having to disassociate  |
813
+|                        |            |     |      | the rule from the firewall policy.    |
814
+|                        |            |     |      | Default: True.                        |
815
++------------------------+------------+-----+------+---------------------------------------+
816
+
817
+|
818
+| **Firewall Rules Source Address Group associations**
819
+
820
++-------------------+---------+-------+------+----------------------------------------+
821
+| Attribute         | Type    | Req   | CRUD | Description                            |
822
++===================+=========+=======+======+========================================+
823
+| id                | uuid-str| N/A   | R    | Unique identifier for the              |
824
+|                   |         |       |      | address_group object.                  |
825
++-------------------+---------+-------+------+----------------------------------------+
826
+| firewall_rule_id  | uuid-str| No    | CRU  | UUID of firewall rule.                 |
827
++-------------------+---------+-------+------+----------------------------------------+
828
+| address_group_id  | String  | No    | CRU  | UUID of source address group.          |
829
++-------------------+---------+-------+------+----------------------------------------+
830
+
831
+|
832
+| **Firewall Rules Destination Address Group associations**
833
+
834
++-------------------+---------+-------+------+----------------------------------------+
835
+| Attribute         | Type    | Req   | CRUD | Description                            |
836
++===================+=========+=======+======+========================================+
837
+| id                | uuid-str| N/A   | R    | Unique identifier for the              |
838
+|                   |         |       |      | address_group object.                  |
839
++-------------------+---------+-------+------+----------------------------------------+
840
+| firewall_rule_id  | uuid-str| No    | CRU  | UUID of firewall rule.                 |
841
++-------------------+---------+-------+------+----------------------------------------+
842
+| address_group_id  | String  | No    | CRU  | UUID of destination address group.     |
843
++-------------------+---------+-------+------+----------------------------------------+
844
+
845
+
846
+Security Impact
847
+---------------
848
+
849
+None.
850
+
851
+Notifications Impact
852
+--------------------
853
+
854
+None.
855
+
856
+Other End User Impact
857
+---------------------
858
+
859
+None.
860
+
861
+Performance Impact
862
+------------------
863
+
864
+None.
865
+
866
+IPv6 Impact
867
+-----------
868
+
869
+None.
870
+
871
+Other Deployer Impact
872
+---------------------
873
+
874
+None.
875
+
876
+Developer Impact
877
+----------------
878
+
879
+None.
880
+
881
+Community Impact
882
+----------------
883
+
884
+None.
885
+
886
+Alternatives
887
+------------
888
+
889
+None.
890
+
891
+Implementation
892
+==============
893
+
894
+Assignee(s)
895
+-----------
896
+
897
+* Wang Tao
898
+
899
+Work Items
900
+----------
901
+
902
+* REST API
903
+* DB Schema
904
+* FWaaS plugin update
905
+* CLI update
906
+* L3 agent iptables driver
907
+* L2 agent ovs driver
908
+* FWaaS dashboard
909
+
910
+Dependencies
911
+============
912
+
913
+
914
+Testing
915
+=======
916
+
917
+Tempest Tests
918
+--------------
919
+
920
+* DB mixin and schema tests
921
+* FWaaS Plugin with mocked driver end-to-end tests
922
+* Tempest tests
923
+* CLI tests
924
+
925
+Functional Tests
926
+----------------
927
+
928
+* New tests need to be written
929
+
930
+API Tests
931
+---------
932
+
933
+* REST API and attributes validation tests
934
+
935
+Documentation Impact
936
+====================
937
+
938
+User Documentation
939
+-------------------
940
+
941
+* Neutron CLI and FWaaS API documentation have to be modified.
942
+
943
+Developer Documentation
944
+-----------------------
945
+
946
+* neutron-fwaas repo will have a devref and documentation will be written.
947
+
948
+References
949
+===========
950
+
951
+[1] https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html
952
+
953
+[2] https://developer.openstack.org/api-ref/network/v2/#fwaas-v2-0-current-fwaas-firewall-groups-firewall-policies-firewall-rules
954
+

Loading…
Cancel
Save