3.0 KiB
Add REJECT action rule for fwaas
https://blueprints.launchpad.net/neutron/+spec/fwaas-reject-rule
Add REJECT into action rule of FWaaS. Action rule of current FWaaS contains only ALLOW/DENY. DENY simply discards the data without a response, but REJECT returns a response. Connection source by this response can be judged to be "connection was refused".
Problem Description
Action rule of current FWaaS contains only ALLOW/DENY. DENY simply discards the data without a response, but REJECT returns a response. Without REJECT feature, end users cannot know whether their accesses are super late or rejected. This REJECT feature will be a good option for FWaaS.
Proposed Change
Add REJECT into action rule of FWaaS. Connection source by this response can be judged to be "connection was refused".
Data Model Impact
The db schema will be changed as below. * add "reject" into action column in firewall_rules table.
REST API Impact
Add REJECT into action rule of FWaaS.
Attribute Name | Type | Access | Default Value | Validation/ Conversion | Description |
---|---|---|---|---|---|
action | string | RW, all | 'deny' | 'allow', 'deny', or 'reject' | Action rule |
Security Impact
None.
Notifications Impact
None.
Other End User Impact
None.
Performance Impact
None.
IPv6 Impact
None.
Other Deployer Impact
None.
Developer Impact
Another project: * Horizon
Community Impact
None.
Alternatives
None.
Implementation
Assignee(s)
- Primary assignee:
-
Higuchi Toshiaki <higuchi@mxj.nes.nec.co.jp>
Work Items
The work items include:
- Implement neutron-fwaas changes.
- Implement python-neutronclient changes for CLI.
- Implement Horizon changes.
Dependencies
None.
Testing
Tempest Tests
Testing will be added to firewall tests.
Functional Tests
Scenario tests will be added to validate REJECT action rule of firewall.
API Tests
Testing will be added to firewall tests.
Documentation Impact
Admin guide will be updated action rule of FWaaS.
User Documentation
User guide will be updated action rule of FWaaS.
Developer Documentation
None.
References
None.