3.0 KiB
Firewall Group Ordering on Port Association
https://bugs.launchpad.net/neutron/+bug/1979816
Currently, packets will sometimes be passed, and other times be blocked, depending on the ordering of groups applied to a port. This is contrary to the existing FWaaS spec, which states that a packet will be allowed so long as any group on the port would allow the packet.
Problem Description
Refer to the linked RFE.
Proposed Change
Similar to firewall_policy_rule_associations_v2, the firewall_group_port_associations_v2 table should have a required position column to maintain the order in which firewall groups are applied to ports.
In addition, modification of this ordering should be limited by user role. For example, an openstack administrator may want a particular group to always be applied first or last, regardless of which groups are added to a port by a tenant. In iptables, this is typically referred to as Head and Tail rules. All Head groups should be applied first, in order. All Tail groups should be applied last, in order. All other groups would be applied in between, again, in order. Only openstack administrators should have access to the Head and Tail tiers.
Ex.
firewall_group_id | port_id | position | tier |
da4be831-907b-43d9-86e0-b14a3bd391fc | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |
|
head |
0814e179-d2be-464a-a9d4-e13c94451532 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |
|
head |
33ce9937-d9db-48b8-a65d-05fa3a75844a | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |
|
null |
6b3172af-9ae0-40e4-b455-c70de7c80c24 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |
|
null |
70a7087e-c6ae-4cef-9b30-35e702746b68 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |
|
tail |
ff1e5eda-c285-4ec2-80f8-49f1a6d77347 | efb7d60e-d3fc-4f97-91ed-ca71d930bb7c |
|
tail |