neutron-specs/specs/rocky/fwaas-2.0-address-groups-support.rst

Firewall as a Service API 2.0 Address Groups Support

Launchpad blueprint:

https://blueprints.launchpad.net/neutron/+spec/fwaas-2.0-address-groups

This bp introduces a enhancement to Firewall as a Service(FWaaS) API 2.0 for supporting address groups. This feature has been proposed in fwaas-api-2.0 but still not implemented.

Problem Description

In actual use of firewall groups, each IP or subnet requires a corresponding firewall rule. When there are a large number of instances, a large number of firewall rules are generated and it is difficult to maintain and manage them.

Proposed Change

Add address group functions to a firewall group. By aggregating multiple address objects into address groups and using address groups instead of the original cidr to generate firewall rules, the number of firewall rules can be effectively reduced.

REST API Impact

Firewall Address Groups

Attribute	Type	Req	CRUD	Description
id	uuid-str	N/A	R	Unique identifier for the address_group object.
name	String	No	CRU	Human readable name for the address group (255 characters limit). Does not have to be unique.
description	String	No	CRU	Human readable description for the address group (255 characters limit).
project_id	uuid-str	No	CR	Owner of the address group. Only admin users can specify a project identifier other than their own.
addresses	List	Yes	CRU	Array of key-value pairs of address and ip version. It supports both CIDR and IP range objects. Attributes of CIDR and IP range objects: "address": <CIDR or IP range> "ip_version": 4 or 6(Integer value) An example of addresses: [{"address": "132.168.4.12/24", "ip_version": 4}]

Firewall Rules

Note that as with FWaaS 1.0, in FWaaS 2.0 firewall rules always use stateful connection tracking.

Attribute	Type	Req	CRUD	Description
id	uuid-str	N/A	R	Unique identifier for the firewall rule object.
project_id	uuid-str	No	CR	Owner of the firewall rule. Only admin users can specify a project identifier other than their own.
name	String	No	CRU	Human readable name for the firewall rule (255 characters limit). Does not have to be unique.
description	String	No	CRU	Human readable description for the firewall Rule (255 characters limit).
shared	Bool	No	CRU	When set to True makes this firewall rule visible to projects other than its owner, and can be used in firewall policies not owned by its project.
protocol	String	No	CRU	IP Protocol.
source_port	port-range	No	CRU	Source port number or a range (an int in [1, 65535] or range in a:b).
destination_port	port-range	No	CRU	Destination port number or a range ( an int in [1, 65535] or range in a:b).
ip_version	Integer	No	CRU	IP Protocol Version.
source_ip_address	String	No	CRU	Source IP address or CIDR.
destination_ip_address	String	No	CRU	Destination IP address or CIDR.
source_address _group_ids	List	No	CRU	This is a list of source address groups. When they are specified, they are matched when the source IP address in the packet matches one of the IP addresses in one of the address groups.
destination_address _group_ids	List	No	CRU	This is a list of destination address groups. When they are specified, they are matched when the destination IP address in the packet matches one of the IP addresses in one of the address groups.
action	String	No	CRU	Action to be performed on the traffic matching the rule (ALLOW, DENY, REJECT). Default: DENY.
enabled	Bool	No	CRU	When set to False will disable this rule in the firewall policy. Facilitates selectively turning off rules without having to disassociate the rule from the firewall policy. Default: True.

Note: At most one of source_ip_address, source_address_group_ids and source_firewall_group_id can be specified. The rule is matched when the source IP address in the packet matches any one of: source_ip_address, one of the IP addresses in the address group, or an IP address of one of the ports in the firewall group. If you want it to match any packet, set the source or destination to 0.0.0.0/0 or ::/0. The same applies to destination_ip_address, destination_address_group_ids, and destination _firewall_group_id, with respect to the destination IP address in the packet.

List address groups

Lists address groups.

Request Type	GET
Endpoint	/v2.0/fwaas/address_groups
Response Codes +	Success | 200 ---------+--------------------------------------+ Error | Unauthorized(401)

Example List address groups: JSON request

GET /v2.0/fwaas/address_groups.json
User-Agent: python-neutronclient
Accept: application/json

Example List address groups: JSON response

{
    "address_groups": [
        {
            "description": "",
            "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
            "name": "ADDR_GP_1",
            "project_id": "45977fa2dbd7482098dd68d0d8970117",
            "addresses": [
               {"address": "132.168.4.12/24", "ip_version": 4},
               {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
               {"address": "2001::db8::f00/64", "ip_version": 6}
            ]
        }
    ]
}

Show address group details

Shows address group details.

Request Type	GET
Endpoint	/v2.0/fwaas/address_groups/<address_group_id>
Response Codes +	Success | 200 ---------+------------------------------------------+ Error | Unauthorized(401), Not Found (404)

Example Show address group: JSON request

GET /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
User-Agent: python-neutronclient
Accept: application/json

Example Show address group: JSON response

{
   "address_group": {
        "description": "",
        "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
        "name": "ADDR_GP_1",
        "project_id": "45977fa2dbd7482098dd68d0d8970117",
        "addresses": [
           {"address": "132.168.4.12/24", "ip_version": 4},
           {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
           {"address": "2001::db8::f00/64", "ip_version": 6}
        ]
    }
}

Create address group

Creates an address group.

Request Type	POST
Endpoint	/v2.0/fwaas/address_groups/
Response Codes +	Success | 201 ---------+--------------------------------------+ Error | Unauthorized(401), Bad Request(400)

Example Create address group: JSON request

POST /v2.0/fwaas/address_groups.json
User-Agent: python-neutronclient
Accept: application/json

{
    "address_group": {
        "name": "ADDR_GP_1",
        "addresses": [
           {"address": "132.168.4.12/24", "ip_version": 4},
           {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
           {"address": "2001::db8::f00/64", "ip_version": 6}
        ]
    }
}

Example Create address group: JSON response

HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8

{
   "address_group": {
        "description": "",
        "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
        "name": "ADDR_GP_1",
        "project_id": "45977fa2dbd7482098dd68d0d8970117",
        "addresses": [
           {"address": "132.168.4.12/24", "ip_version": 4},
           {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
           {"address": "2001::db8::f00/64", "ip_version": 6}
        ]
    }
}

Update address group

Updates an address group.

Request Type	PUT
Endpoint	/v2.0/fwaas/address_groups/<address_group_id>
Response Codes +	Success | 200 ---------+------------------------------------------+ Error | Unauthorized(401), Bad Request(400) | Not Found(404)

Example Update address group: JSON request

PUT /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
User-Agent: python-neutronclient
Accept: application/json

{
    "address_group": {
        "addresses": [
           {"address": "132.168.4.12/24", "ip_version": 4},
           {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
           {"address": "2001::db8::f00/64", "ip_version": 6}
        ]
    }
}

Example Update address group: JSON response

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
   "address_group": {
        "description": "",
        "id": "8722e0e0-9cc9-4490-9660-8c9a5732fbb0",
        "name": "ADDR_GP_1",
        "project_id": "45977fa2dbd7482098dd68d0d8970117",
        "addresses": [
           {"address": "132.168.4.12/24", "ip_version": 4},
           {"address": "132.168.5.12-132.168.5.24", "ip_version": 4},
           {"address": "2001::db8::f00/64", "ip_version": 6}
        ]
    }
}

Delete address group

Deletes an address group.

This operation does not return a response body.

Request Type	DELETE
Endpoint	/v2.0/fwaas/address_groups/<address_group_id>
Response Codes +	Success | 204 ---------+------------------------------------------+ Error | Unauthorized(401), Not Found(404) Conflict(409) The Conflict error response is returned when an operation is performed while address group is in use.

Example Delete address group: JSON request

DELETE /v2.0/fwaas/address_groups/8722e0e0-9cc9-4490-9660-8c9a5732fbb0.json
User-Agent: python-neutronclient
Accept: application/json

Example Delete address group: JSON response

HTTP/1.1 204 No Content
Content-Length: 0

List firewall rules

Lists firewall rules.

Request Type	GET
Endpoint	/v2.0/fwaas/firewall_rules
Response Codes +	Success | 200 ---------+--------------------------------------+ Error | Unauthorized(401)

Example List firewall rules: JSON request

GET /v2.0/fwaas/firewall_rules.json
User-Agent: python-neutronclient
Accept: application/json

Example List firewall rules: JSON response

{
    "firewall_rules": [
        {
            "action": "ALLOW",
            "description": "",
            "enabled": true,
            "firewall_policy_id": "56632e51-d2aa-4b79-9fd4-45f51088c4ed",
            "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
            "name": "ALLOW_HTTP",
            "position": 1,
            "shared": false,
            "protocol": "tcp",
            "source_port": null,
            "destination_port": "80",
            "ip_version": 4,
            "source_ip_address": null,
            "destination_ip_address": null
            "source_address_group_ids": [],
            "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
            "project_id": "45977fa2dbd7482098dd68d0d8970117"
        }
    ]
}

Show firewall rule details

Shows firewall rule details.

Request Type	GET
Endpoint	/v2.0/fwaas/firewall_rules/<firewall_rule_id>
Response Codes +	Success | 200 ---------+------------------------------------------+ Error | Unauthorized(401), Not Found (404)

Example Show firewall rule: JSON request

GET /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
User-Agent: python-neutronclient
Accept: application/json

Example Show firewall rule: JSON response

{
    "firewall_rule": {
        "action": "ALLOW",
        "description": "",
        "enabled": true,
        "firewall_policy_id": "56632e51-d2aa-4b79-9fd4-45f51088c4ed",
        "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
        "name": "ALLOW_HTTP",
        "position": 1,
        "shared": false,
        "protocol": "tcp",
        "source_port": null,
        "destination_port": "80",
        "ip_version": 4,
        "source_ip_address": null,
        "destination_ip_address": null,
        "source_address_group_ids": [],
        "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
        "project_id": "45977fa2dbd7482098dd68d0d8970117"
    }
}

Create firewall rule

Creates a firewall rule.

Request Type	POST
Endpoint	/v2.0/fwaas/firewall_rules/
Response Codes +	Success | 201 ---------+--------------------------------------+ Error | Unauthorized(401), Bad Request(400)

Example Create firewall rule: JSON request

POST /v2.0/fwaas/firewall_rules.json
User-Agent: python-neutronclient
Accept: application/json

{
    "firewall_rule": {
        "action": "ALLOW",
        "enabled": true,
        "name": "ALLOW_HTTP",
        "protocol": "tcp",
        "source_port": null,
        "destination_port": "80",
        "source_ip_address": null,
        "destination_ip_address": null,
        "source_address_group_ids": [],
        "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"]
    }
}

Example Create firewall rule: JSON response

HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8

{
    "firewall_rule": {
        "action": "ALLOW",
        "description": "",
        "enabled": true,
        "firewall_policy_id": null,
        "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
        "name": "ALLOW_HTTP",
        "position": 1,
        "shared": false,
        "protocol": "tcp",
        "source_port": null,
        "destination_port": "80",
        "ip_version": 4,
        "source_ip_address": null,
        "destination_ip_address": null,
        "source_address_group_ids": [],
        "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
        "project_id": "45977fa2dbd7482098dd68d0d8970117"
    }
}

Update firewall rule

Updates a firewall rule.

Request Type	PUT
Endpoint	/v2.0/fwaas/firewall_rules/<firewall_rule_id>
Response Codes +	Success | 200 ---------+------------------------------------------+ Error | Unauthorized(401), Bad Request(400) | Not Found(404)

Example Update firewall rule: JSON request

PUT /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
User-Agent: python-neutronclient
Accept: application/json

{
    "firewall_rule": {
        "shared": "true"
    }
}

Example Update firewall rule: JSON response

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8

{
    "firewall_rule": {
        "action": "ALLOW",
        "description": "",
        "enabled": true,
        "firewall_policy_id": null,
        "id": "9faaf49f-dd89-4e39-a8c6-101839aa49bc",
        "name": "ALLOW_HTTP",
        "position": 1,
        "shared": true,
        "protocol": "tcp",
        "source_port": null,
        "destination_port": "80",
        "ip_version": 4,
        "source_ip_address": null,
        "destination_ip_address": null,
        "source_address_group_ids": [],
        "destination_address_group_ids": ["8315762a-f0ae-4f6b-981a-a16a6c3103c2"],
        "project_id": "45977fa2dbd7482098dd68d0d8970117"
    }
}

Delete firewall rule

Deletes a firewall rule.

This operation does not return a response body.

Request Type	DELETE
Endpoint	/v2.0/fwaas/firewall_rules/<firewall_rule_id>
Response Codes +	Success | 204 ---------+------------------------------------------+ Error | Unauthorized(401), Not Found(404) Conflict(409) The Conflict error response is returned when an operation is performed while firewall rule is in use.

Example Delete firewall rule: JSON request

DELETE /v2.0/fwaas/firewall_rules/9faaf49f-dd89-4e39-a8c6-101839aa49bc.json
User-Agent: python-neutronclient
Accept: application/json

Example Delete firewall rule: JSON response

HTTP/1.1 204 No Content
Content-Length: 0

Data Model Impact

The following are the backend database tables for the REST API proposed above.

Firewall Address Groups

Attribute	Type	Req	CRUD	Description
id	uuid-str	N/A	R	Unique identifier for the address_group object.
name	String	No	CRU	Human readable name for the address group (255 characters limit). Does not have to be unique.
description	String	No	CRU	Human readable description for the address group (255 characters limit).
project_id	uuid-str	Yes	CR	Owner of the address group. Only admin users can specify a project identifier other than their own.

Firewall Address Group Address associations

Attribute	Type	Req	CRUD	Description
id	uuid-str	N/A	R	Unique identifier for the address_group object.
firewall_address _group_id	uuid-str	No	CRU	UUID of firewall address group.
address	String	No	CRU	Address that has to be associated to the firewall address group.
ip_version	Integer	No	CRU	IP Protocol Version of the address.

Firewall Rules

Attribute	Type	Req	CRUD	Description
id	uuid-str	N/A	R	Unique identifier for the firewall rule object.
project_id	uuid-str	Yes	CR	Owner of the firewall rule. Only admin users can specify a project identifier other than their own.
name	String	No	CRU	Human readable name for the firewall rule (255 characters limit). Does not have to be unique.
description	String	No	CRU	Human readable description for the firewall Rule (255 characters limit).
shared	Bool	No	CRU	When set to True makes this firewall rule visible to projects other than its owner, and can be used in firewall policies not owned by its project.
protocol	String	No	CRU	IP Protocol.
source_port	port-range	No	CRU	Source port number or a range (an int in [1, 65535] or range in a:b).
destination_port	port-range	No	CRU	Destination port number or a range ( an int in [1, 65535] or range in a:b).
ip_version	Integer	No	CRU	IP Protocol Version.
source_ip_address	String	No	CRU	Source IP address or CIDR.
destination_ip_address	String	No	CRU	Destination IP address or CIDR.
source_address _group_ids	List	No	CRU	When a source_address_group is specified, it is matched when the source IP address in the packet matches one of the IP addresses in the address group.
destination_address _group_ids	List	No	CRU	When a destination_address_group is specified, it is matched when the destination IP address in the packet matches one of the IP addresses in the address group.
action	String	No	CRU	Action to be performed on the traffic matching the rule (ALLOW, DENY, REJECT). Default: DENY.
enabled	Bool	No	CRU	When set to False will disable this rule in the firewall policy. Facilitates selectively turning off rules without having to disassociate the rule from the firewall policy. Default: True.

Firewall Rules Source Address Group associations

Attribute	Type	Req	CRUD	Description
id	uuid-str	N/A	R	Unique identifier for the address_group object.
firewall_rule_id	uuid-str	No	CRU	UUID of firewall rule.
address_group_id	String	No	CRU	UUID of source address group.

Firewall Rules Destination Address Group associations

Attribute	Type	Req	CRUD	Description
id	uuid-str	N/A	R	Unique identifier for the address_group object.
firewall_rule_id	uuid-str	No	CRU	UUID of firewall rule.
address_group_id	String	No	CRU	UUID of destination address group.

Security Impact

None.

Notifications Impact

None.

Other End User Impact

None.

Performance Impact

None.

IPv6 Impact

None.

Other Deployer Impact

None.

Developer Impact

None.

Community Impact

None.

Alternatives

None.

Implementation

Assignee(s)

• Wang Tao

Work Items

• REST API
• DB Schema
• FWaaS plugin update
• CLI update
• L3 agent iptables driver
• L2 agent ovs driver
• FWaaS dashboard

Dependencies

Testing

Tempest Tests

• DB mixin and schema tests
• FWaaS Plugin with mocked driver end-to-end tests
• Tempest tests
• CLI tests

Functional Tests

• New tests need to be written

API Tests

• REST API and attributes validation tests

Documentation Impact

User Documentation

• Neutron CLI and FWaaS API documentation have to be modified.

Developer Documentation

• neutron-fwaas repo will have a devref and documentation will be written.

References

[1] https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html

[2] https://developer.openstack.org/api-ref/network/v2/#fwaas-v2-0-current-fwaas-firewall-groups-firewall-policies-firewall-rules