Merge "fwaas 2.0 address groups support"
This commit is contained in:
commit
86566de1de
|
@ -0,0 +1,954 @@
|
||||||
|
..
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
===============================================================
|
||||||
|
Firewall as a Service API 2.0 Address Groups Support
|
||||||
|
===============================================================
|
||||||
|
|
||||||
|
**Launchpad blueprint:**
|
||||||
|
|
||||||
|
| https://blueprints.launchpad.net/neutron/+spec/fwaas-2.0-address-groups
|
||||||
|
|
||||||
|
This bp introduces a enhancement to Firewall as a Service(FWaaS) API 2.0
|
||||||
|
for supporting address groups. This feature has been proposed in
|
||||||
|
fwaas-api-2.0 but still not implemented.
|
||||||
|
|
||||||
|
Problem Description
|
||||||
|
===================
|
||||||
|
|
||||||
|
In actual use of firewall groups, each IP or subnet requires a
|
||||||
|
corresponding firewall rule. When there are a large number of instances,
|
||||||
|
a large number of firewall rules are generated and it is difficult to
|
||||||
|
maintain and manage them.
|
||||||
|
|
||||||
|
|
||||||
|
Proposed Change
|
||||||
|
===============
|
||||||
|
|
||||||
|
Add address group functions to a firewall group. By aggregating multiple
|
||||||
|
address objects into address groups and using address groups instead of
|
||||||
|
the original cidr to generate firewall rules, the number of firewall rules
|
||||||
|
can be effectively reduced.
|
||||||
|
|
||||||
|
|
||||||
|
REST API Impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
Firewall Address Groups
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
+-------------------+---------+-------+------+---------------------------------------+
|
||||||
|
| Attribute | Type | Req | CRUD | Description |
|
||||||
|
+===================+=========+=======+======+=======================================+
|
||||||
|
| id | uuid-str| N/A | R | Unique identifier for the |
|
||||||
|
| | | | | address_group object. |
|
||||||
|
+-------------------+---------+-------+------+---------------------------------------+
|
||||||
|
| name | String | No | CRU | Human readable name for the address |
|
||||||
|
| | | | | group (255 characters limit). Does not|
|
||||||
|
| | | | | have to be unique. |
|
||||||
|
+-------------------+---------+-------+------+---------------------------------------+
|
||||||
|
| description | String | No | CRU | Human readable description for the |
|
||||||
|
| | | | | address group (255 characters limit). |
|
||||||
|
+-------------------+---------+-------+------+---------------------------------------+
|
||||||
|
| project_id | uuid-str| No | CR | Owner of the address group. Only |
|
||||||
|
| | | | | admin users can specify a project |
|
||||||
|
| | | | | identifier other than their own. |
|
||||||
|
+-------------------+---------+-------+------+---------------------------------------+
|
||||||
|
| addresses | List | Yes | CRU | Array of key-value pairs of address |
|
||||||
|
| | | | | and ip version. It supports both CIDR |
|
||||||
|
| | | | | and IP range objects. Attributes of |
|
||||||
|
| | | | | CIDR and IP range objects: |
|
||||||
|
| | | | | "address": <CIDR or IP range> |
|
||||||
|
| | | | | "ip_version": 4 or 6(Integer value) |
|
||||||
|
| | | | | An example of addresses: |
|
||||||
|
| | | | | [{"address": "132.168.4.12/24", |
|
||||||
|
| | | | | "ip_version": 4}] |
|
||||||
|
+-------------------+---------+-------+------+---------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
Firewall Rules
|
||||||
|
~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Note that as with FWaaS 1.0, in FWaaS 2.0 firewall rules always use stateful connection
|
||||||
|
tracking.
|
||||||
|
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| Attribute | Type | Req | CRUD | Description |
|
||||||
|
+========================+============+=====+======+=======================================+
|
||||||
|
| id | uuid-str | N/A | R | Unique identifier for the firewall |
|
||||||
|
| | | | | rule object. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| project_id | uuid-str | No | CR | Owner of the firewall rule. Only |
|
||||||
|
| | | | | admin users can specify a project |
|
||||||
|
| | | | | identifier other than their own. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| name | String | No | CRU | Human readable name for the firewall |
|
||||||
|
| | | | | rule (255 characters limit). Does |
|
||||||
|
| | | | | not have to be unique. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| description | String | No | CRU | Human readable description for the |
|
||||||
|
| | | | | firewall Rule (255 characters limit). |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| shared | Bool | No | CRU | When set to True makes this firewall |
|
||||||
|
| | | | | rule visible to projects other than |
|
||||||
|
| | | | | its owner, and can be used in |
|
||||||
|
| | | | | firewall policies not owned by its |
|
||||||
|
| | | | | project. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| protocol | String | No | CRU | IP Protocol. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| source_port | port-range | No | CRU | Source port number or a range (an |
|
||||||
|
| | | | | int in [1, 65535] or range in a:b). |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| destination_port | port-range | No | CRU | Destination port number or a range ( |
|
||||||
|
| | | | | an int in [1, 65535] or range in a:b).|
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| ip_version | Integer | No | CRU | IP Protocol Version. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| source_ip_address | String | No | CRU | Source IP address or CIDR. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| destination_ip_address | String | No | CRU | Destination IP address or CIDR. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| source_address | List | No | CRU | This is a list of source address |
|
||||||
|
| _group_ids | | | | groups. When they are specified, they |
|
||||||
|
| | | | | are matched when the source IP address|
|
||||||
|
| | | | | in the packet matches one of the IP |
|
||||||
|
| | | | | addresses in one of the address |
|
||||||
|
| | | | | groups. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| destination_address | List | No | CRU | This is a list of destination address |
|
||||||
|
| _group_ids | | | | groups. When they are specified, they |
|
||||||
|
| | | | | are matched when the destination IP |
|
||||||
|
| | | | | address in the packet matches one of |
|
||||||
|
| | | | | the IP addresses in one of the address|
|
||||||
|
| | | | | groups. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| action | String | No | CRU | Action to be performed on the |
|
||||||
|
| | | | | traffic matching the rule (ALLOW, |
|
||||||
|
| | | | | DENY, REJECT). Default: DENY. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| enabled | Bool | No | CRU | When set to False will disable this |
|
||||||
|
| | | | | rule in the firewall policy. |
|
||||||
|
| | | | | Facilitates selectively turning off |
|
||||||
|
| | | | | rules without having to disassociate |
|
||||||
|
| | | | | the rule from the firewall policy. |
|
||||||
|
| | | | | Default: True. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
Note: At most one of source_ip_address, source_address_group_ids and
|
||||||
|
source_firewall_group_id can be specified. The rule is matched when the
|
||||||
|
source IP address in the packet matches any one of: source_ip_address,
|
||||||
|
one of the IP addresses in the address group, or an IP address of one
|
||||||
|
of the ports in the firewall group. If you want it to match any packet,
|
||||||
|
set the source or destination to 0.0.0.0/0 or ::/0. The same applies to
|
||||||
|
destination_ip_address, destination_address_group_ids, and destination
|
||||||
|
_firewall_group_id, with respect to the destination IP address in the
|
||||||
|
packet.
|
||||||
|
|
||||||
|
|
||||||
|
List address groups
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Lists address groups.
|
||||||
|
|
||||||
|
+----------------+------------------------------------------------+
|
||||||
|
| Request Type | ``GET`` |
|
||||||
|
+----------------+------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/address_groups`` |
|
||||||
|
+----------------+---------+--------------------------------------+
|
||||||
|
| | Success | 200 |
|
||||||
|
| Response Codes +---------+--------------------------------------+
|
||||||
|
| | Error | Unauthorized(401) |
|
||||||
|
+----------------+---------+--------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example List address groups: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
GET /v2.0/fwaas/address_groups.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
**Example List address groups: JSON response**
|
||||||
|
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"address_groups": [
|
||||||
|
{
|
||||||
|
"description": "",
|
||||||
|
"id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
|
||||||
|
"name": "ADDR_GP_1",
|
||||||
|
"project_id": "45977fa2dbd7482098dd68d0d8970117",
|
||||||
|
"addresses": [
|
||||||
|
{"address": "132.168.4.12/24", "ip_version": 4},
|
||||||
|
{"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
|
||||||
|
{"address": "2001::db8::f00/64", "ip_version": 6}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
Show address group details
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Shows address group details.
|
||||||
|
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Request Type | ``GET`` |
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/address_groups/<address_group_id>`` |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
| | Success | 200 |
|
||||||
|
| Response Codes +---------+------------------------------------------+
|
||||||
|
| | Error | Unauthorized(401), Not Found (404) |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example Show address group: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
GET /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
|
||||||
|
**Example Show address group: JSON response**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"address_group": {
|
||||||
|
"description": "",
|
||||||
|
"id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
|
||||||
|
"name": "ADDR_GP_1",
|
||||||
|
"project_id": "45977fa2dbd7482098dd68d0d8970117",
|
||||||
|
"addresses": [
|
||||||
|
{"address": "132.168.4.12/24", "ip_version": 4},
|
||||||
|
{"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
|
||||||
|
{"address": "2001::db8::f00/64", "ip_version": 6}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Create address group
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Creates an address group.
|
||||||
|
|
||||||
|
+----------------+------------------------------------------------+
|
||||||
|
| Request Type | ``POST`` |
|
||||||
|
+----------------+------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/address_groups/`` |
|
||||||
|
+----------------+---------+--------------------------------------+
|
||||||
|
| | Success | 201 |
|
||||||
|
| Response Codes +---------+--------------------------------------+
|
||||||
|
| | Error | Unauthorized(401), Bad Request(400) |
|
||||||
|
+----------------+---------+--------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example Create address group: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
POST /v2.0/fwaas/address_groups.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"address_group": {
|
||||||
|
"name": "ADDR_GP_1",
|
||||||
|
"addresses": [
|
||||||
|
{"address": "132.168.4.12/24", "ip_version": 4},
|
||||||
|
{"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
|
||||||
|
{"address": "2001::db8::f00/64", "ip_version": 6}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
**Example Create address group: JSON response**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
HTTP/1.1 201 Created
|
||||||
|
Content-Type: application/json; charset=UTF-8
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"address_group": {
|
||||||
|
"description": "",
|
||||||
|
"id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
|
||||||
|
"name": "ADDR_GP_1",
|
||||||
|
"project_id": "45977fa2dbd7482098dd68d0d8970117",
|
||||||
|
"addresses": [
|
||||||
|
{"address": "132.168.4.12/24", "ip_version": 4},
|
||||||
|
{"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
|
||||||
|
{"address": "2001::db8::f00/64", "ip_version": 6}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Update address group
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Updates an address group.
|
||||||
|
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Request Type | ``PUT`` |
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/address_groups/<address_group_id>`` |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
| | Success | 200 |
|
||||||
|
| Response Codes +---------+------------------------------------------+
|
||||||
|
| | Error | Unauthorized(401), Bad Request(400) \ |
|
||||||
|
| | | Not Found(404) |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example Update address group: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
PUT /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"address_group": {
|
||||||
|
"addresses": [
|
||||||
|
{"address": "132.168.4.12/24", "ip_version": 4},
|
||||||
|
{"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
|
||||||
|
{"address": "2001::db8::f00/64", "ip_version": 6}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
**Example Update address group: JSON response**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=UTF-8
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"address_group": {
|
||||||
|
"description": "",
|
||||||
|
"id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
|
||||||
|
"name": "ADDR_GP_1",
|
||||||
|
"project_id": "45977fa2dbd7482098dd68d0d8970117",
|
||||||
|
"addresses": [
|
||||||
|
{"address": "132.168.4.12/24", "ip_version": 4},
|
||||||
|
{"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
|
||||||
|
{"address": "2001::db8::f00/64", "ip_version": 6}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Delete address group
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Deletes an address group.
|
||||||
|
|
||||||
|
This operation does not return a response body.
|
||||||
|
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Request Type | ``DELETE`` |
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/address_groups/<address_group_id>`` |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
| | Success | 204 |
|
||||||
|
| Response Codes +---------+------------------------------------------+
|
||||||
|
| | Error | Unauthorized(401), Not Found(404) |
|
||||||
|
| | | Conflict(409) The Conflict error response|
|
||||||
|
| | | is returned when an operation is |
|
||||||
|
| | | performed while address group is in use. |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example Delete address group: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
DELETE /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
**Example Delete address group: JSON response**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
HTTP/1.1 204 No Content
|
||||||
|
Content-Length: 0
|
||||||
|
|
||||||
|
|
||||||
|
List firewall rules
|
||||||
|
^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Lists firewall rules.
|
||||||
|
|
||||||
|
+----------------+------------------------------------------------+
|
||||||
|
| Request Type | ``GET`` |
|
||||||
|
+----------------+------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/firewall_rules`` |
|
||||||
|
+----------------+---------+--------------------------------------+
|
||||||
|
| | Success | 200 |
|
||||||
|
| Response Codes +---------+--------------------------------------+
|
||||||
|
| | Error | Unauthorized(401) |
|
||||||
|
+----------------+---------+--------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example List firewall rules: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
GET /v2.0/fwaas/firewall_rules.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
**Example List firewall rules: JSON response**
|
||||||
|
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"firewall_rules": [
|
||||||
|
{
|
||||||
|
"action": "ALLOW",
|
||||||
|
"description": "",
|
||||||
|
"enabled": true,
|
||||||
|
"firewall_policy_id": "56632e51-d2aa-4b79-9fd4-45f51088c4ed",
|
||||||
|
"id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
|
||||||
|
"name": "ALLOW_HTTP",
|
||||||
|
"position": 1,
|
||||||
|
"shared": false,
|
||||||
|
"protocol": "tcp",
|
||||||
|
"source_port": null,
|
||||||
|
"destination_port": "80",
|
||||||
|
"ip_version": 4,
|
||||||
|
"source_ip_address": null,
|
||||||
|
"destination_ip_address": null
|
||||||
|
"source_address_group_ids": [],
|
||||||
|
"destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
|
||||||
|
"project_id": "45977fa2dbd7482098dd68d0d8970117"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
Show firewall rule details
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Shows firewall rule details.
|
||||||
|
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Request Type | ``GET`` |
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/firewall_rules/<firewall_rule_id>`` |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
| | Success | 200 |
|
||||||
|
| Response Codes +---------+------------------------------------------+
|
||||||
|
| | Error | Unauthorized(401), Not Found (404) |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example Show firewall rule: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
GET /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
|
||||||
|
**Example Show firewall rule: JSON response**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"firewall_rule": {
|
||||||
|
"action": "ALLOW",
|
||||||
|
"description": "",
|
||||||
|
"enabled": true,
|
||||||
|
"firewall_policy_id": "56632e51-d2aa-4b79-9fd4-45f51088c4ed",
|
||||||
|
"id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
|
||||||
|
"name": "ALLOW_HTTP",
|
||||||
|
"position": 1,
|
||||||
|
"shared": false,
|
||||||
|
"protocol": "tcp",
|
||||||
|
"source_port": null,
|
||||||
|
"destination_port": "80",
|
||||||
|
"ip_version": 4,
|
||||||
|
"source_ip_address": null,
|
||||||
|
"destination_ip_address": null,
|
||||||
|
"source_address_group_ids": [],
|
||||||
|
"destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
|
||||||
|
"project_id": "45977fa2dbd7482098dd68d0d8970117"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Create firewall rule
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Creates a firewall rule.
|
||||||
|
|
||||||
|
+----------------+------------------------------------------------+
|
||||||
|
| Request Type | ``POST`` |
|
||||||
|
+----------------+------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/firewall_rules/`` |
|
||||||
|
+----------------+---------+--------------------------------------+
|
||||||
|
| | Success | 201 |
|
||||||
|
| Response Codes +---------+--------------------------------------+
|
||||||
|
| | Error | Unauthorized(401), Bad Request(400) |
|
||||||
|
+----------------+---------+--------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example Create firewall rule: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
POST /v2.0/fwaas/firewall_rules.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"firewall_rule": {
|
||||||
|
"action": "ALLOW",
|
||||||
|
"enabled": true,
|
||||||
|
"name": "ALLOW_HTTP",
|
||||||
|
"protocol": "tcp",
|
||||||
|
"source_port": null,
|
||||||
|
"destination_port": "80",
|
||||||
|
"source_ip_address": null,
|
||||||
|
"destination_ip_address": null,
|
||||||
|
"source_address_group_ids": [],
|
||||||
|
"destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
**Example Create firewall rule: JSON response**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
HTTP/1.1 201 Created
|
||||||
|
Content-Type: application/json; charset=UTF-8
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"firewall_rule": {
|
||||||
|
"action": "ALLOW",
|
||||||
|
"description": "",
|
||||||
|
"enabled": true,
|
||||||
|
"firewall_policy_id": null,
|
||||||
|
"id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
|
||||||
|
"name": "ALLOW_HTTP",
|
||||||
|
"position": 1,
|
||||||
|
"shared": false,
|
||||||
|
"protocol": "tcp",
|
||||||
|
"source_port": null,
|
||||||
|
"destination_port": "80",
|
||||||
|
"ip_version": 4,
|
||||||
|
"source_ip_address": null,
|
||||||
|
"destination_ip_address": null,
|
||||||
|
"source_address_group_ids": [],
|
||||||
|
"destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
|
||||||
|
"project_id": "45977fa2dbd7482098dd68d0d8970117"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Update firewall rule
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Updates a firewall rule.
|
||||||
|
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Request Type | ``PUT`` |
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/firewall_rules/<firewall_rule_id>`` |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
| | Success | 200 |
|
||||||
|
| Response Codes +---------+------------------------------------------+
|
||||||
|
| | Error | Unauthorized(401), Bad Request(400) \ |
|
||||||
|
| | | Not Found(404) |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example Update firewall rule: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
PUT /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
{
|
||||||
|
"firewall_rule": {
|
||||||
|
"shared": "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
**Example Update firewall rule: JSON response**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=UTF-8
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
|
||||||
|
{
|
||||||
|
"firewall_rule": {
|
||||||
|
"action": "ALLOW",
|
||||||
|
"description": "",
|
||||||
|
"enabled": true,
|
||||||
|
"firewall_policy_id": null,
|
||||||
|
"id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
|
||||||
|
"name": "ALLOW_HTTP",
|
||||||
|
"position": 1,
|
||||||
|
"shared": true,
|
||||||
|
"protocol": "tcp",
|
||||||
|
"source_port": null,
|
||||||
|
"destination_port": "80",
|
||||||
|
"ip_version": 4,
|
||||||
|
"source_ip_address": null,
|
||||||
|
"destination_ip_address": null,
|
||||||
|
"source_address_group_ids": [],
|
||||||
|
"destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
|
||||||
|
"project_id": "45977fa2dbd7482098dd68d0d8970117"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
Delete firewall rule
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
Deletes a firewall rule.
|
||||||
|
|
||||||
|
This operation does not return a response body.
|
||||||
|
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Request Type | ``DELETE`` |
|
||||||
|
+----------------+----------------------------------------------------+
|
||||||
|
| Endpoint | ``/v2.0/fwaas/firewall_rules/<firewall_rule_id>`` |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
| | Success | 204 |
|
||||||
|
| Response Codes +---------+------------------------------------------+
|
||||||
|
| | Error | Unauthorized(401), Not Found(404) |
|
||||||
|
| | | Conflict(409) The Conflict error response|
|
||||||
|
| | | is returned when an operation is |
|
||||||
|
| | | performed while firewall rule is in use. |
|
||||||
|
+----------------+---------+------------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
|
||||||
|
**Example Delete firewall rule: JSON request**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
DELETE /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
|
||||||
|
User-Agent: python-neutronclient
|
||||||
|
Accept: application/json
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
**Example Delete firewall rule: JSON response**
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
HTTP/1.1 204 No Content
|
||||||
|
Content-Length: 0
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Data Model Impact
|
||||||
|
------------------
|
||||||
|
|
||||||
|
The following are the backend database tables for the REST API proposed above.
|
||||||
|
|
||||||
|
|
|
||||||
|
| **Firewall Address Groups**
|
||||||
|
|
||||||
|
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| Attribute | Type | Req | CRUD | Description |
|
||||||
|
+===================+=========+=======+======+========================================+
|
||||||
|
| id | uuid-str| N/A | R | Unique identifier for the |
|
||||||
|
| | | | | address_group object. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| name | String | No | CRU | Human readable name for the address |
|
||||||
|
| | | | | group (255 characters limit). Does not |
|
||||||
|
| | | | | have to be unique. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| description | String | No | CRU | Human readable description for the |
|
||||||
|
| | | | | address group (255 characters limit). |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| project_id | uuid-str| Yes | CR | Owner of the address group. Only |
|
||||||
|
| | | | | admin users can specify a project |
|
||||||
|
| | | | | identifier other than their own. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
| **Firewall Address Group Address associations**
|
||||||
|
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| Attribute | Type | Req | CRUD | Description |
|
||||||
|
+===================+=========+=======+======+========================================+
|
||||||
|
| id | uuid-str| N/A | R | Unique identifier for the |
|
||||||
|
| | | | | address_group object. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| firewall_address | uuid-str| No | CRU | UUID of firewall address group. |
|
||||||
|
| _group_id | | | | |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| address | String | No | CRU | Address that has to be associated to |
|
||||||
|
| | | | | the firewall address group. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| ip_version | Integer | No | CRU | IP Protocol Version of the address. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
| **Firewall Rules**
|
||||||
|
|
||||||
|
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| Attribute | Type | Req | CRUD | Description |
|
||||||
|
+========================+============+=====+======+=======================================+
|
||||||
|
| id | uuid-str | N/A | R | Unique identifier for the firewall |
|
||||||
|
| | | | | rule object. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| project_id | uuid-str | Yes | CR | Owner of the firewall rule. Only |
|
||||||
|
| | | | | admin users can specify a project |
|
||||||
|
| | | | | identifier other than their own. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| name | String | No | CRU | Human readable name for the firewall |
|
||||||
|
| | | | | rule (255 characters limit). Does |
|
||||||
|
| | | | | not have to be unique. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| description | String | No | CRU | Human readable description for the |
|
||||||
|
| | | | | firewall Rule (255 characters limit). |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| shared | Bool | No | CRU | When set to True makes this firewall |
|
||||||
|
| | | | | rule visible to projects other than |
|
||||||
|
| | | | | its owner, and can be used in |
|
||||||
|
| | | | | firewall policies not owned by its |
|
||||||
|
| | | | | project. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| protocol | String | No | CRU | IP Protocol. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| source_port | port-range | No | CRU | Source port number or a range (an |
|
||||||
|
| | | | | int in [1, 65535] or range in a:b). |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| destination_port | port-range | No | CRU | Destination port number or a range ( |
|
||||||
|
| | | | | an int in [1, 65535] or range in a:b).|
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| ip_version | Integer | No | CRU | IP Protocol Version. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| source_ip_address | String | No | CRU | Source IP address or CIDR. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| destination_ip_address | String | No | CRU | Destination IP address or CIDR. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| source_address | List | No | CRU | When a source_address_group is |
|
||||||
|
| _group_ids | | | | specified, it is matched when the |
|
||||||
|
| | | | | source IP address in the packet |
|
||||||
|
| | | | | matches one of the IP addresses in |
|
||||||
|
| | | | | the address group. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| destination_address | List | No | CRU | When a destination_address_group is |
|
||||||
|
| _group_ids | | | | specified, it is matched when the |
|
||||||
|
| | | | | destination IP address in the packet |
|
||||||
|
| | | | | matches one of the IP addresses in the|
|
||||||
|
| | | | | address group. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| action | String | No | CRU | Action to be performed on the |
|
||||||
|
| | | | | traffic matching the rule (ALLOW, |
|
||||||
|
| | | | | DENY, REJECT). Default: DENY. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
| enabled | Bool | No | CRU | When set to False will disable this |
|
||||||
|
| | | | | rule in the firewall policy. |
|
||||||
|
| | | | | Facilitates selectively turning off |
|
||||||
|
| | | | | rules without having to disassociate |
|
||||||
|
| | | | | the rule from the firewall policy. |
|
||||||
|
| | | | | Default: True. |
|
||||||
|
+------------------------+------------+-----+------+---------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
| **Firewall Rules Source Address Group associations**
|
||||||
|
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| Attribute | Type | Req | CRUD | Description |
|
||||||
|
+===================+=========+=======+======+========================================+
|
||||||
|
| id | uuid-str| N/A | R | Unique identifier for the |
|
||||||
|
| | | | | address_group object. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| firewall_rule_id | uuid-str| No | CRU | UUID of firewall rule. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| address_group_id | String | No | CRU | UUID of source address group. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
|
||||||
|
|
|
||||||
|
| **Firewall Rules Destination Address Group associations**
|
||||||
|
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| Attribute | Type | Req | CRUD | Description |
|
||||||
|
+===================+=========+=======+======+========================================+
|
||||||
|
| id | uuid-str| N/A | R | Unique identifier for the |
|
||||||
|
| | | | | address_group object. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| firewall_rule_id | uuid-str| No | CRU | UUID of firewall rule. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
| address_group_id | String | No | CRU | UUID of destination address group. |
|
||||||
|
+-------------------+---------+-------+------+----------------------------------------+
|
||||||
|
|
||||||
|
|
||||||
|
Security Impact
|
||||||
|
---------------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Notifications Impact
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Other End User Impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Performance Impact
|
||||||
|
------------------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
IPv6 Impact
|
||||||
|
-----------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Other Deployer Impact
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Developer Impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Community Impact
|
||||||
|
----------------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
------------
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Implementation
|
||||||
|
==============
|
||||||
|
|
||||||
|
Assignee(s)
|
||||||
|
-----------
|
||||||
|
|
||||||
|
* Wang Tao
|
||||||
|
|
||||||
|
Work Items
|
||||||
|
----------
|
||||||
|
|
||||||
|
* REST API
|
||||||
|
* DB Schema
|
||||||
|
* FWaaS plugin update
|
||||||
|
* CLI update
|
||||||
|
* L3 agent iptables driver
|
||||||
|
* L2 agent ovs driver
|
||||||
|
* FWaaS dashboard
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
Tempest Tests
|
||||||
|
--------------
|
||||||
|
|
||||||
|
* DB mixin and schema tests
|
||||||
|
* FWaaS Plugin with mocked driver end-to-end tests
|
||||||
|
* Tempest tests
|
||||||
|
* CLI tests
|
||||||
|
|
||||||
|
Functional Tests
|
||||||
|
----------------
|
||||||
|
|
||||||
|
* New tests need to be written
|
||||||
|
|
||||||
|
API Tests
|
||||||
|
---------
|
||||||
|
|
||||||
|
* REST API and attributes validation tests
|
||||||
|
|
||||||
|
Documentation Impact
|
||||||
|
====================
|
||||||
|
|
||||||
|
User Documentation
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
* Neutron CLI and FWaaS API documentation have to be modified.
|
||||||
|
|
||||||
|
Developer Documentation
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
* neutron-fwaas repo will have a devref and documentation will be written.
|
||||||
|
|
||||||
|
References
|
||||||
|
===========
|
||||||
|
|
||||||
|
[1] https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html
|
||||||
|
|
||||||
|
[2] https://developer.openstack.org/api-ref/network/v2/#fwaas-v2-0-current-fwaas-firewall-groups-firewall-policies-firewall-rules
|
||||||
|
|
Loading…
Reference in New Issue