diff --git a/specs/rocky/fwaas-2.0-address-groups-support.rst b/specs/rocky/fwaas-2.0-address-groups-support.rst new file mode 100644 index 000000000..80a3ef730 --- /dev/null +++ b/specs/rocky/fwaas-2.0-address-groups-support.rst @@ -0,0 +1,954 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +=============================================================== +Firewall as a Service API 2.0 Address Groups Support +=============================================================== + +**Launchpad blueprint:** + +| https://blueprints.launchpad.net/neutron/+spec/fwaas-2.0-address-groups + +This bp introduces a enhancement to Firewall as a Service(FWaaS) API 2.0 +for supporting address groups. This feature has been proposed in +fwaas-api-2.0 but still not implemented. + +Problem Description +=================== + +In actual use of firewall groups, each IP or subnet requires a +corresponding firewall rule. When there are a large number of instances, +a large number of firewall rules are generated and it is difficult to +maintain and manage them. + + +Proposed Change +=============== + +Add address group functions to a firewall group. By aggregating multiple +address objects into address groups and using address groups instead of +the original cidr to generate firewall rules, the number of firewall rules +can be effectively reduced. + + +REST API Impact +--------------- + +Firewall Address Groups +~~~~~~~~~~~~~~~~~~~~~~~~ + ++-------------------+---------+-------+------+---------------------------------------+ +| Attribute | Type | Req | CRUD | Description | ++===================+=========+=======+======+=======================================+ +| id | uuid-str| N/A | R | Unique identifier for the | +| | | | | address_group object. | ++-------------------+---------+-------+------+---------------------------------------+ +| name | String | No | CRU | Human readable name for the address | +| | | | | group (255 characters limit). Does not| +| | | | | have to be unique. | ++-------------------+---------+-------+------+---------------------------------------+ +| description | String | No | CRU | Human readable description for the | +| | | | | address group (255 characters limit). | ++-------------------+---------+-------+------+---------------------------------------+ +| project_id | uuid-str| No | CR | Owner of the address group. Only | +| | | | | admin users can specify a project | +| | | | | identifier other than their own. | ++-------------------+---------+-------+------+---------------------------------------+ +| addresses | List | Yes | CRU | Array of key-value pairs of address | +| | | | | and ip version. It supports both CIDR | +| | | | | and IP range objects. Attributes of | +| | | | | CIDR and IP range objects: | +| | | | | "address": | +| | | | | "ip_version": 4 or 6(Integer value) | +| | | | | An example of addresses: | +| | | | | [{"address": "132.168.4.12/24", | +| | | | | "ip_version": 4}] | ++-------------------+---------+-------+------+---------------------------------------+ + +| + +Firewall Rules +~~~~~~~~~~~~~~ + +Note that as with FWaaS 1.0, in FWaaS 2.0 firewall rules always use stateful connection +tracking. + ++------------------------+------------+-----+------+---------------------------------------+ +| Attribute | Type | Req | CRUD | Description | ++========================+============+=====+======+=======================================+ +| id | uuid-str | N/A | R | Unique identifier for the firewall | +| | | | | rule object. | ++------------------------+------------+-----+------+---------------------------------------+ +| project_id | uuid-str | No | CR | Owner of the firewall rule. Only | +| | | | | admin users can specify a project | +| | | | | identifier other than their own. | ++------------------------+------------+-----+------+---------------------------------------+ +| name | String | No | CRU | Human readable name for the firewall | +| | | | | rule (255 characters limit). Does | +| | | | | not have to be unique. | ++------------------------+------------+-----+------+---------------------------------------+ +| description | String | No | CRU | Human readable description for the | +| | | | | firewall Rule (255 characters limit). | ++------------------------+------------+-----+------+---------------------------------------+ +| shared | Bool | No | CRU | When set to True makes this firewall | +| | | | | rule visible to projects other than | +| | | | | its owner, and can be used in | +| | | | | firewall policies not owned by its | +| | | | | project. | ++------------------------+------------+-----+------+---------------------------------------+ +| protocol | String | No | CRU | IP Protocol. | ++------------------------+------------+-----+------+---------------------------------------+ +| source_port | port-range | No | CRU | Source port number or a range (an | +| | | | | int in [1, 65535] or range in a:b). | ++------------------------+------------+-----+------+---------------------------------------+ +| destination_port | port-range | No | CRU | Destination port number or a range ( | +| | | | | an int in [1, 65535] or range in a:b).| ++------------------------+------------+-----+------+---------------------------------------+ +| ip_version | Integer | No | CRU | IP Protocol Version. | ++------------------------+------------+-----+------+---------------------------------------+ +| source_ip_address | String | No | CRU | Source IP address or CIDR. | ++------------------------+------------+-----+------+---------------------------------------+ +| destination_ip_address | String | No | CRU | Destination IP address or CIDR. | ++------------------------+------------+-----+------+---------------------------------------+ +| source_address | List | No | CRU | This is a list of source address | +| _group_ids | | | | groups. When they are specified, they | +| | | | | are matched when the source IP address| +| | | | | in the packet matches one of the IP | +| | | | | addresses in one of the address | +| | | | | groups. | ++------------------------+------------+-----+------+---------------------------------------+ +| destination_address | List | No | CRU | This is a list of destination address | +| _group_ids | | | | groups. When they are specified, they | +| | | | | are matched when the destination IP | +| | | | | address in the packet matches one of | +| | | | | the IP addresses in one of the address| +| | | | | groups. | ++------------------------+------------+-----+------+---------------------------------------+ +| action | String | No | CRU | Action to be performed on the | +| | | | | traffic matching the rule (ALLOW, | +| | | | | DENY, REJECT). Default: DENY. | ++------------------------+------------+-----+------+---------------------------------------+ +| enabled | Bool | No | CRU | When set to False will disable this | +| | | | | rule in the firewall policy. | +| | | | | Facilitates selectively turning off | +| | | | | rules without having to disassociate | +| | | | | the rule from the firewall policy. | +| | | | | Default: True. | ++------------------------+------------+-----+------+---------------------------------------+ + +| + +Note: At most one of source_ip_address, source_address_group_ids and +source_firewall_group_id can be specified. The rule is matched when the +source IP address in the packet matches any one of: source_ip_address, +one of the IP addresses in the address group, or an IP address of one +of the ports in the firewall group. If you want it to match any packet, +set the source or destination to 0.0.0.0/0 or ::/0. The same applies to +destination_ip_address, destination_address_group_ids, and destination +_firewall_group_id, with respect to the destination IP address in the +packet. + + +List address groups +^^^^^^^^^^^^^^^^^^^^^ + +Lists address groups. + + +----------------+------------------------------------------------+ + | Request Type | ``GET`` | + +----------------+------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/address_groups`` | + +----------------+---------+--------------------------------------+ + | | Success | 200 | + | Response Codes +---------+--------------------------------------+ + | | Error | Unauthorized(401) | + +----------------+---------+--------------------------------------+ + +| + +**Example List address groups: JSON request** + +.. code:: + + GET /v2.0/fwaas/address_groups.json + User-Agent: python-neutronclient + Accept: application/json + +**Example List address groups: JSON response** + + +.. code:: + + { + "address_groups": [ + { + "description": "", + "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0", + "name": "ADDR_GP_1", + "project_id": "45977fa2dbd7482098dd68d0d8970117", + "addresses": [ + {"address": "132.168.4.12/24", "ip_version": 4}, + {"address": "132.168.5.12-132.168.5.24", "ip_version": 4}, + {"address": "2001::db8::f00/64", "ip_version": 6} + ] + } + ] + } + +Show address group details +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Shows address group details. + + +----------------+----------------------------------------------------+ + | Request Type | ``GET`` | + +----------------+----------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/address_groups/`` | + +----------------+---------+------------------------------------------+ + | | Success | 200 | + | Response Codes +---------+------------------------------------------+ + | | Error | Unauthorized(401), Not Found (404) | + +----------------+---------+------------------------------------------+ + +| + +**Example Show address group: JSON request** + +.. code:: + + GET /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json + User-Agent: python-neutronclient + Accept: application/json + + +**Example Show address group: JSON response** + +.. code:: + + { + "address_group": { + "description": "", + "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0", + "name": "ADDR_GP_1", + "project_id": "45977fa2dbd7482098dd68d0d8970117", + "addresses": [ + {"address": "132.168.4.12/24", "ip_version": 4}, + {"address": "132.168.5.12-132.168.5.24", "ip_version": 4}, + {"address": "2001::db8::f00/64", "ip_version": 6} + ] + } + } + + + +Create address group +^^^^^^^^^^^^^^^^^^^^^ + +Creates an address group. + + +----------------+------------------------------------------------+ + | Request Type | ``POST`` | + +----------------+------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/address_groups/`` | + +----------------+---------+--------------------------------------+ + | | Success | 201 | + | Response Codes +---------+--------------------------------------+ + | | Error | Unauthorized(401), Bad Request(400) | + +----------------+---------+--------------------------------------+ + +| + +**Example Create address group: JSON request** + +.. code:: + + POST /v2.0/fwaas/address_groups.json + User-Agent: python-neutronclient + Accept: application/json + +.. code:: + + { + "address_group": { + "name": "ADDR_GP_1", + "addresses": [ + {"address": "132.168.4.12/24", "ip_version": 4}, + {"address": "132.168.5.12-132.168.5.24", "ip_version": 4}, + {"address": "2001::db8::f00/64", "ip_version": 6} + ] + } + } + +**Example Create address group: JSON response** + +.. code:: + + HTTP/1.1 201 Created + Content-Type: application/json; charset=UTF-8 + +.. code:: + + { + "address_group": { + "description": "", + "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0", + "name": "ADDR_GP_1", + "project_id": "45977fa2dbd7482098dd68d0d8970117", + "addresses": [ + {"address": "132.168.4.12/24", "ip_version": 4}, + {"address": "132.168.5.12-132.168.5.24", "ip_version": 4}, + {"address": "2001::db8::f00/64", "ip_version": 6} + ] + } + } + + +Update address group +^^^^^^^^^^^^^^^^^^^^^ + +Updates an address group. + + +----------------+----------------------------------------------------+ + | Request Type | ``PUT`` | + +----------------+----------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/address_groups/`` | + +----------------+---------+------------------------------------------+ + | | Success | 200 | + | Response Codes +---------+------------------------------------------+ + | | Error | Unauthorized(401), Bad Request(400) \ | + | | | Not Found(404) | + +----------------+---------+------------------------------------------+ + +| + +**Example Update address group: JSON request** + +.. code:: + + PUT /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json + User-Agent: python-neutronclient + Accept: application/json + +.. code:: + + { + "address_group": { + "addresses": [ + {"address": "132.168.4.12/24", "ip_version": 4}, + {"address": "132.168.5.12-132.168.5.24", "ip_version": 4}, + {"address": "2001::db8::f00/64", "ip_version": 6} + ] + } + } + + +**Example Update address group: JSON response** + +.. code:: + + HTTP/1.1 200 OK + Content-Type: application/json; charset=UTF-8 + +.. code:: + + { + "address_group": { + "description": "", + "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0", + "name": "ADDR_GP_1", + "project_id": "45977fa2dbd7482098dd68d0d8970117", + "addresses": [ + {"address": "132.168.4.12/24", "ip_version": 4}, + {"address": "132.168.5.12-132.168.5.24", "ip_version": 4}, + {"address": "2001::db8::f00/64", "ip_version": 6} + ] + } + } + + +Delete address group +^^^^^^^^^^^^^^^^^^^^^ + +Deletes an address group. + +This operation does not return a response body. + + +----------------+----------------------------------------------------+ + | Request Type | ``DELETE`` | + +----------------+----------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/address_groups/`` | + +----------------+---------+------------------------------------------+ + | | Success | 204 | + | Response Codes +---------+------------------------------------------+ + | | Error | Unauthorized(401), Not Found(404) | + | | | Conflict(409) The Conflict error response| + | | | is returned when an operation is | + | | | performed while address group is in use. | + +----------------+---------+------------------------------------------+ + +| + +**Example Delete address group: JSON request** + +.. code:: + + DELETE /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json + User-Agent: python-neutronclient + Accept: application/json + +**Example Delete address group: JSON response** + +.. code:: + + HTTP/1.1 204 No Content + Content-Length: 0 + + +List firewall rules +^^^^^^^^^^^^^^^^^^^^ + +Lists firewall rules. + + +----------------+------------------------------------------------+ + | Request Type | ``GET`` | + +----------------+------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/firewall_rules`` | + +----------------+---------+--------------------------------------+ + | | Success | 200 | + | Response Codes +---------+--------------------------------------+ + | | Error | Unauthorized(401) | + +----------------+---------+--------------------------------------+ + +| + +**Example List firewall rules: JSON request** + +.. code:: + + GET /v2.0/fwaas/firewall_rules.json + User-Agent: python-neutronclient + Accept: application/json + + + +**Example List firewall rules: JSON response** + + +.. code:: + + { + "firewall_rules": [ + { + "action": "ALLOW", + "description": "", + "enabled": true, + "firewall_policy_id": "56632e51-d2aa-4b79-9fd4-45f51088c4ed", + "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc", + "name": "ALLOW_HTTP", + "position": 1, + "shared": false, + "protocol": "tcp", + "source_port": null, + "destination_port": "80", + "ip_version": 4, + "source_ip_address": null, + "destination_ip_address": null + "source_address_group_ids": [], + "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"], + "project_id": "45977fa2dbd7482098dd68d0d8970117" + } + ] + } + +Show firewall rule details +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Shows firewall rule details. + + +----------------+----------------------------------------------------+ + | Request Type | ``GET`` | + +----------------+----------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/firewall_rules/`` | + +----------------+---------+------------------------------------------+ + | | Success | 200 | + | Response Codes +---------+------------------------------------------+ + | | Error | Unauthorized(401), Not Found (404) | + +----------------+---------+------------------------------------------+ + +| + +**Example Show firewall rule: JSON request** + +.. code:: + + GET /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json + User-Agent: python-neutronclient + Accept: application/json + + +**Example Show firewall rule: JSON response** + +.. code:: + + { + "firewall_rule": { + "action": "ALLOW", + "description": "", + "enabled": true, + "firewall_policy_id": "56632e51-d2aa-4b79-9fd4-45f51088c4ed", + "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc", + "name": "ALLOW_HTTP", + "position": 1, + "shared": false, + "protocol": "tcp", + "source_port": null, + "destination_port": "80", + "ip_version": 4, + "source_ip_address": null, + "destination_ip_address": null, + "source_address_group_ids": [], + "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"], + "project_id": "45977fa2dbd7482098dd68d0d8970117" + } + } + + + +Create firewall rule +^^^^^^^^^^^^^^^^^^^^^ + +Creates a firewall rule. + + +----------------+------------------------------------------------+ + | Request Type | ``POST`` | + +----------------+------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/firewall_rules/`` | + +----------------+---------+--------------------------------------+ + | | Success | 201 | + | Response Codes +---------+--------------------------------------+ + | | Error | Unauthorized(401), Bad Request(400) | + +----------------+---------+--------------------------------------+ + +| + +**Example Create firewall rule: JSON request** + +.. code:: + + POST /v2.0/fwaas/firewall_rules.json + User-Agent: python-neutronclient + Accept: application/json + +.. code:: + + { + "firewall_rule": { + "action": "ALLOW", + "enabled": true, + "name": "ALLOW_HTTP", + "protocol": "tcp", + "source_port": null, + "destination_port": "80", + "source_ip_address": null, + "destination_ip_address": null, + "source_address_group_ids": [], + "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"] + } + } + +**Example Create firewall rule: JSON response** + +.. code:: + + HTTP/1.1 201 Created + Content-Type: application/json; charset=UTF-8 + +.. code:: + + { + "firewall_rule": { + "action": "ALLOW", + "description": "", + "enabled": true, + "firewall_policy_id": null, + "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc", + "name": "ALLOW_HTTP", + "position": 1, + "shared": false, + "protocol": "tcp", + "source_port": null, + "destination_port": "80", + "ip_version": 4, + "source_ip_address": null, + "destination_ip_address": null, + "source_address_group_ids": [], + "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"], + "project_id": "45977fa2dbd7482098dd68d0d8970117" + } + } + + +Update firewall rule +^^^^^^^^^^^^^^^^^^^^^ + +Updates a firewall rule. + + +----------------+----------------------------------------------------+ + | Request Type | ``PUT`` | + +----------------+----------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/firewall_rules/`` | + +----------------+---------+------------------------------------------+ + | | Success | 200 | + | Response Codes +---------+------------------------------------------+ + | | Error | Unauthorized(401), Bad Request(400) \ | + | | | Not Found(404) | + +----------------+---------+------------------------------------------+ + +| + +**Example Update firewall rule: JSON request** + +.. code:: + + PUT /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json + User-Agent: python-neutronclient + Accept: application/json + +.. code:: + + { + "firewall_rule": { + "shared": "true" + } + } + +**Example Update firewall rule: JSON response** + +.. code:: + + HTTP/1.1 200 OK + Content-Type: application/json; charset=UTF-8 + +.. code:: + + + { + "firewall_rule": { + "action": "ALLOW", + "description": "", + "enabled": true, + "firewall_policy_id": null, + "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc", + "name": "ALLOW_HTTP", + "position": 1, + "shared": true, + "protocol": "tcp", + "source_port": null, + "destination_port": "80", + "ip_version": 4, + "source_ip_address": null, + "destination_ip_address": null, + "source_address_group_ids": [], + "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"], + "project_id": "45977fa2dbd7482098dd68d0d8970117" + } + } + + +| + +Delete firewall rule +^^^^^^^^^^^^^^^^^^^^^ + +Deletes a firewall rule. + +This operation does not return a response body. + + +----------------+----------------------------------------------------+ + | Request Type | ``DELETE`` | + +----------------+----------------------------------------------------+ + | Endpoint | ``/v2.0/fwaas/firewall_rules/`` | + +----------------+---------+------------------------------------------+ + | | Success | 204 | + | Response Codes +---------+------------------------------------------+ + | | Error | Unauthorized(401), Not Found(404) | + | | | Conflict(409) The Conflict error response| + | | | is returned when an operation is | + | | | performed while firewall rule is in use. | + +----------------+---------+------------------------------------------+ + +| + +**Example Delete firewall rule: JSON request** + +.. code:: + + DELETE /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json + User-Agent: python-neutronclient + Accept: application/json + + + +**Example Delete firewall rule: JSON response** + +.. code:: + + HTTP/1.1 204 No Content + Content-Length: 0 + + + +Data Model Impact +------------------ + +The following are the backend database tables for the REST API proposed above. + +| +| **Firewall Address Groups** + + ++-------------------+---------+-------+------+----------------------------------------+ +| Attribute | Type | Req | CRUD | Description | ++===================+=========+=======+======+========================================+ +| id | uuid-str| N/A | R | Unique identifier for the | +| | | | | address_group object. | ++-------------------+---------+-------+------+----------------------------------------+ +| name | String | No | CRU | Human readable name for the address | +| | | | | group (255 characters limit). Does not | +| | | | | have to be unique. | ++-------------------+---------+-------+------+----------------------------------------+ +| description | String | No | CRU | Human readable description for the | +| | | | | address group (255 characters limit). | ++-------------------+---------+-------+------+----------------------------------------+ +| project_id | uuid-str| Yes | CR | Owner of the address group. Only | +| | | | | admin users can specify a project | +| | | | | identifier other than their own. | ++-------------------+---------+-------+------+----------------------------------------+ + + +| +| **Firewall Address Group Address associations** + ++-------------------+---------+-------+------+----------------------------------------+ +| Attribute | Type | Req | CRUD | Description | ++===================+=========+=======+======+========================================+ +| id | uuid-str| N/A | R | Unique identifier for the | +| | | | | address_group object. | ++-------------------+---------+-------+------+----------------------------------------+ +| firewall_address | uuid-str| No | CRU | UUID of firewall address group. | +| _group_id | | | | | ++-------------------+---------+-------+------+----------------------------------------+ +| address | String | No | CRU | Address that has to be associated to | +| | | | | the firewall address group. | ++-------------------+---------+-------+------+----------------------------------------+ +| ip_version | Integer | No | CRU | IP Protocol Version of the address. | ++-------------------+---------+-------+------+----------------------------------------+ + + + +| +| **Firewall Rules** + + ++------------------------+------------+-----+------+---------------------------------------+ +| Attribute | Type | Req | CRUD | Description | ++========================+============+=====+======+=======================================+ +| id | uuid-str | N/A | R | Unique identifier for the firewall | +| | | | | rule object. | ++------------------------+------------+-----+------+---------------------------------------+ +| project_id | uuid-str | Yes | CR | Owner of the firewall rule. Only | +| | | | | admin users can specify a project | +| | | | | identifier other than their own. | ++------------------------+------------+-----+------+---------------------------------------+ +| name | String | No | CRU | Human readable name for the firewall | +| | | | | rule (255 characters limit). Does | +| | | | | not have to be unique. | ++------------------------+------------+-----+------+---------------------------------------+ +| description | String | No | CRU | Human readable description for the | +| | | | | firewall Rule (255 characters limit). | ++------------------------+------------+-----+------+---------------------------------------+ +| shared | Bool | No | CRU | When set to True makes this firewall | +| | | | | rule visible to projects other than | +| | | | | its owner, and can be used in | +| | | | | firewall policies not owned by its | +| | | | | project. | ++------------------------+------------+-----+------+---------------------------------------+ +| protocol | String | No | CRU | IP Protocol. | ++------------------------+------------+-----+------+---------------------------------------+ +| source_port | port-range | No | CRU | Source port number or a range (an | +| | | | | int in [1, 65535] or range in a:b). | ++------------------------+------------+-----+------+---------------------------------------+ +| destination_port | port-range | No | CRU | Destination port number or a range ( | +| | | | | an int in [1, 65535] or range in a:b).| ++------------------------+------------+-----+------+---------------------------------------+ +| ip_version | Integer | No | CRU | IP Protocol Version. | ++------------------------+------------+-----+------+---------------------------------------+ +| source_ip_address | String | No | CRU | Source IP address or CIDR. | ++------------------------+------------+-----+------+---------------------------------------+ +| destination_ip_address | String | No | CRU | Destination IP address or CIDR. | ++------------------------+------------+-----+------+---------------------------------------+ +| source_address | List | No | CRU | When a source_address_group is | +| _group_ids | | | | specified, it is matched when the | +| | | | | source IP address in the packet | +| | | | | matches one of the IP addresses in | +| | | | | the address group. | ++------------------------+------------+-----+------+---------------------------------------+ +| destination_address | List | No | CRU | When a destination_address_group is | +| _group_ids | | | | specified, it is matched when the | +| | | | | destination IP address in the packet | +| | | | | matches one of the IP addresses in the| +| | | | | address group. | ++------------------------+------------+-----+------+---------------------------------------+ +| action | String | No | CRU | Action to be performed on the | +| | | | | traffic matching the rule (ALLOW, | +| | | | | DENY, REJECT). Default: DENY. | ++------------------------+------------+-----+------+---------------------------------------+ +| enabled | Bool | No | CRU | When set to False will disable this | +| | | | | rule in the firewall policy. | +| | | | | Facilitates selectively turning off | +| | | | | rules without having to disassociate | +| | | | | the rule from the firewall policy. | +| | | | | Default: True. | ++------------------------+------------+-----+------+---------------------------------------+ + +| +| **Firewall Rules Source Address Group associations** + ++-------------------+---------+-------+------+----------------------------------------+ +| Attribute | Type | Req | CRUD | Description | ++===================+=========+=======+======+========================================+ +| id | uuid-str| N/A | R | Unique identifier for the | +| | | | | address_group object. | ++-------------------+---------+-------+------+----------------------------------------+ +| firewall_rule_id | uuid-str| No | CRU | UUID of firewall rule. | ++-------------------+---------+-------+------+----------------------------------------+ +| address_group_id | String | No | CRU | UUID of source address group. | ++-------------------+---------+-------+------+----------------------------------------+ + +| +| **Firewall Rules Destination Address Group associations** + ++-------------------+---------+-------+------+----------------------------------------+ +| Attribute | Type | Req | CRUD | Description | ++===================+=========+=======+======+========================================+ +| id | uuid-str| N/A | R | Unique identifier for the | +| | | | | address_group object. | ++-------------------+---------+-------+------+----------------------------------------+ +| firewall_rule_id | uuid-str| No | CRU | UUID of firewall rule. | ++-------------------+---------+-------+------+----------------------------------------+ +| address_group_id | String | No | CRU | UUID of destination address group. | ++-------------------+---------+-------+------+----------------------------------------+ + + +Security Impact +--------------- + +None. + +Notifications Impact +-------------------- + +None. + +Other End User Impact +--------------------- + +None. + +Performance Impact +------------------ + +None. + +IPv6 Impact +----------- + +None. + +Other Deployer Impact +--------------------- + +None. + +Developer Impact +---------------- + +None. + +Community Impact +---------------- + +None. + +Alternatives +------------ + +None. + +Implementation +============== + +Assignee(s) +----------- + +* Wang Tao + +Work Items +---------- + +* REST API +* DB Schema +* FWaaS plugin update +* CLI update +* L3 agent iptables driver +* L2 agent ovs driver +* FWaaS dashboard + +Dependencies +============ + + +Testing +======= + +Tempest Tests +-------------- + +* DB mixin and schema tests +* FWaaS Plugin with mocked driver end-to-end tests +* Tempest tests +* CLI tests + +Functional Tests +---------------- + +* New tests need to be written + +API Tests +--------- + +* REST API and attributes validation tests + +Documentation Impact +==================== + +User Documentation +------------------- + +* Neutron CLI and FWaaS API documentation have to be modified. + +Developer Documentation +----------------------- + +* neutron-fwaas repo will have a devref and documentation will be written. + +References +=========== + +[1] https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html + +[2] https://developer.openstack.org/api-ref/network/v2/#fwaas-v2-0-current-fwaas-firewall-groups-firewall-policies-firewall-rules +