Firewall as a Service API 2.0

Registered by Armando Migliaccio on 2015-11-20

This bp introduces a few enhancements to Firewall as a Service (FWaaS) API including making it more granular by giving the users the ability to apply the firewall rules at the port level rather than at the router level. Support is extended to various types of Neutron ports, including VM ports and SFC ports as well as router ports. It also aims to provide better grouping mechanisms (security groups and service groups) and discuss the use of a common classifier in achieving it.

Blueprint information

Status:
Complete
Approver:
Sridar Kandaswamy
Priority:
Medium
Drafter:
Aishwarya Thangappa
Direction:
Approved
Assignee:
Sridar Kandaswamy
Definition:
Approved
Series goal:
Accepted for queens
Implementation:
Implemented
Milestone target:
milestone icon queens-3
Started by
German Eichberger on 2016-08-30
Completed by
Akihiro Motoki on 2018-02-01

Related branches

Sprints

Whiteboard

COMPLETED L2 Support was the major outstanding item - this has been addressed in Queens. And additional misc features will be evaluated for use cases and addressed as separate blueprints or RFE (by xgerman or SridarK)

I marked this as Implemented based on the above and today's fwaas team meeting discussion -- amotoki, Feb 2, 2018

---

Feb-06-2016(armax): patches below still need merging.

* https://review.openstack.org/#/c/348177/
* https://review.openstack.org/#/c/361071/
* https://review.openstack.org/#/c/323971/

Jan-09-2017(njohnston): Two patches in neutron-fwaas remain to be merged, but both of them are blocked until https://review.openstack.org/348177 in neutron is merged. Remaining patches are (in order):

1.) https://review.openstack.org/348177 neutron: IPtables enhancement for co-existence of SG and FWaaS v2 drivers (Chandan/Sarath)

2.) https://review.openstack.org/361071 neutron-fwaas: FWaaS v2 driver for L2 ports (Chandan/Sarath)

3.) https://review.openstack.org/323971 neutron-fwaas: FWaaS v2 extension for L2 agent (Yushiro/Paddu)

Dec-01-2016(armax): lots of progress on CLI, testing and docs, getting close to completion.

Sep-12-2016(armax): missing CLI, testing, docs, deferred to Oacata

(SridarK): We are running thru integration of the L3 pieces - we are definitely running behind - but targeting to get a basic flow end of the week to early next week.

Aug-8-2015(armax): nothing substantial [1] merged since the beginning of Newton and we are a few weeks from feature freeze. Nothing merged with the target topic [2]. It is increasingly likely this is going to be deferred.

[1] https://review.openstack.org/#/q/status:merged+project:openstack/neutron-fwaas+branch:master
[2] https://review.openstack.org/#/q/status:merged+project:openstack/neutron-fwaas+branch:master+topic:fwaas_v2_api

Apr-4-2016(armax): To assess if it needs new owners (to be confirmed in the next few days). Some code available on:

https://review.openstack.org/#/q/status:open+project:openstack/neutron-fwaas+branch:master+topic:fwaas_v2_api

Mar-3-2016(armax): Moved to Newton. Please ensure you re-submit spec if necessary.

Jan-18-2016(sc68cal) - Let's go ahead and push this to neutron-next (N release)

Jan-18-2016(armax): no major code nor documentation as of today. Changes of getting in Mitaka are getting slim. This was always a long shot anyway.

Dec-07-2015(armax): iterating on the spec, but consensus is close. some planning done. Non controversial work about to start.

Gerrit topic: https://review.openstack.org/#q,topic:bp/fwaas-api-2,n,z

Addressed by: https://review.openstack.org/267046
    FWaaS V2 Plugin

Addressed by: https://review.openstack.org/311159
    FWaaS v2 Database

Addressed by: https://review.openstack.org/337699
    FWaaS v2 L3 Agent Extension

Addressed by: https://review.openstack.org/348177
    The Iptables manager and firewall driver in Neutron must be enhanced for co-existence of SecurityGroup and FWaaS v2 APIs. This patch re-factors the IPTables driver for enabling FWaaS and SG chain to be interleaved preserving ordering of rules.

Addressed by: https://review.openstack.org/264489
    FwaaS v2 REST API

Addressed by: https://review.openstack.org/355576
    FWaaS v2 utilize L3 Agent Extension framework

Addressed by: https://review.openstack.org/355755
    Add support FWaaS v2 CRUD

Addressed by: https://review.openstack.org/323971
    [WIP] FWaaS v2 extension for L2 agent

Gerrit topic: https://review.openstack.org/#q,topic:bp/fwaas-api-2-plugin-rpc,n,z

Addressed by: https://review.openstack.org/359343
    FWaaS v2 Database rule insert/remove operations support

Addressed by: https://review.openstack.org/361071
    [WIP] FWaaS v2 driver for L2 ports

Addressed by: https://review.openstack.org/391320
    [WIP] FWaaS v2 Tempest API tests

Addressed by: https://review.openstack.org/391338
    [WIP] FWaaS v2 API reference

Addressed by: https://review.openstack.org/391392
    [WIP] Tempest Scenario tests for FWaaS V2

Gerrit topic: https://review.openstack.org/#q,topic:fwaasv2_l2agent,n,z

Gerrit topic: https://review.openstack.org/#q,topic:bug/1609686,n,z

Addressed by: https://review.openstack.org/404942
    Update policy.json for FWaaS v2

Gerrit topic: https://review.openstack.org/#q,topic:stadium-implosion,n,z

Gerrit topic: https://review.openstack.org/#q,topic:bug/1657190,n,z

Addressed by: https://review.openstack.org/425769
    [WIP] Apply default firewall group for port

Addressed by: https://review.openstack.org/429048
    FWaaS v2 Tempest API tests

Gerrit topic: https://review.openstack.org/#q,topic:bug/1649703,n,z

Addressed by: https://review.openstack.org/429052
    Fix functional/tempest v2 failures

Addressed by: https://review.openstack.org/430292
    Tempest Scenario tests for FWaaS V2

Addressed by: https://review.openstack.org/475183
    [WIP] Add configurable option for default_firewall_group

Addressed by: https://review.openstack.org/447251
    OVS based l2 Firewall driver for FWaaS v2

Gerrit topic: https://review.openstack.org/#q,topic:l2_driver_final,n,z

Gerrit topic: https://review.openstack.org/#q,topic:co-existing-sg,n,z

Gerrit topic: https://review.openstack.org/#q,topic:co-existence,n,z

Addressed by: https://review.openstack.org/525357
    Add reno for "OVS based l2 Firewall driver for FWaaS v2"

(?)

Work Items