Firewall as a Service API 2.0

Registered by Armando Migliaccio

This bp introduces a few enhancements to Firewall as a Service (FWaaS) API including making it more granular by giving the users the ability to apply the firewall rules at the port level rather than at the router level. Support is extended to various types of Neutron ports, including VM ports and SFC ports as well as router ports. It also aims to provide better grouping mechanisms (security groups and service groups) and discuss the use of a common classifier in achieving it.

Blueprint information

Sridar Kandaswamy
Aishwarya Thangappa
Sridar Kandaswamy
Series goal:
Accepted for queens
Milestone target:
milestone icon queens-3
Started by
German Eichberger
Completed by
Akihiro Motoki

Related branches



COMPLETED L2 Support was the major outstanding item - this has been addressed in Queens. And additional misc features will be evaluated for use cases and addressed as separate blueprints or RFE (by xgerman or SridarK)

I marked this as Implemented based on the above and today's fwaas team meeting discussion -- amotoki, Feb 2, 2018


Feb-06-2016(armax): patches below still need merging.


Jan-09-2017(njohnston): Two patches in neutron-fwaas remain to be merged, but both of them are blocked until in neutron is merged. Remaining patches are (in order):

1.) neutron: IPtables enhancement for co-existence of SG and FWaaS v2 drivers (Chandan/Sarath)

2.) neutron-fwaas: FWaaS v2 driver for L2 ports (Chandan/Sarath)

3.) neutron-fwaas: FWaaS v2 extension for L2 agent (Yushiro/Paddu)

Dec-01-2016(armax): lots of progress on CLI, testing and docs, getting close to completion.

Sep-12-2016(armax): missing CLI, testing, docs, deferred to Oacata

(SridarK): We are running thru integration of the L3 pieces - we are definitely running behind - but targeting to get a basic flow end of the week to early next week.

Aug-8-2015(armax): nothing substantial [1] merged since the beginning of Newton and we are a few weeks from feature freeze. Nothing merged with the target topic [2]. It is increasingly likely this is going to be deferred.


Apr-4-2016(armax): To assess if it needs new owners (to be confirmed in the next few days). Some code available on:

Mar-3-2016(armax): Moved to Newton. Please ensure you re-submit spec if necessary.

Jan-18-2016(sc68cal) - Let's go ahead and push this to neutron-next (N release)

Jan-18-2016(armax): no major code nor documentation as of today. Changes of getting in Mitaka are getting slim. This was always a long shot anyway.

Dec-07-2015(armax): iterating on the spec, but consensus is close. some planning done. Non controversial work about to start.

Gerrit topic:,topic:bp/fwaas-api-2,n,z

Addressed by:
    FWaaS V2 Plugin

Addressed by:
    FWaaS v2 Database

Addressed by:
    FWaaS v2 L3 Agent Extension

Addressed by:
    The Iptables manager and firewall driver in Neutron must be enhanced for co-existence of SecurityGroup and FWaaS v2 APIs. This patch re-factors the IPTables driver for enabling FWaaS and SG chain to be interleaved preserving ordering of rules.

Addressed by:
    FwaaS v2 REST API

Addressed by:
    FWaaS v2 utilize L3 Agent Extension framework

Addressed by:
    Add support FWaaS v2 CRUD

Addressed by:
    [WIP] FWaaS v2 extension for L2 agent

Gerrit topic:,topic:bp/fwaas-api-2-plugin-rpc,n,z

Addressed by:
    FWaaS v2 Database rule insert/remove operations support

Addressed by:
    [WIP] FWaaS v2 driver for L2 ports

Addressed by:
    [WIP] FWaaS v2 Tempest API tests

Addressed by:
    [WIP] FWaaS v2 API reference

Addressed by:
    [WIP] Tempest Scenario tests for FWaaS V2

Gerrit topic:,topic:fwaasv2_l2agent,n,z

Gerrit topic:,topic:bug/1609686,n,z

Addressed by:
    Update policy.json for FWaaS v2

Gerrit topic:,topic:stadium-implosion,n,z

Gerrit topic:,topic:bug/1657190,n,z

Addressed by:
    [WIP] Apply default firewall group for port

Addressed by:
    FWaaS v2 Tempest API tests

Gerrit topic:,topic:bug/1649703,n,z

Addressed by:
    Fix functional/tempest v2 failures

Addressed by:
    Tempest Scenario tests for FWaaS V2

Addressed by:
    [WIP] Add configurable option for default_firewall_group

Addressed by:
    OVS based l2 Firewall driver for FWaaS v2

Gerrit topic:,topic:l2_driver_final,n,z

Gerrit topic:,topic:co-existing-sg,n,z

Gerrit topic:,topic:co-existence,n,z

Addressed by:
    Add reno for "OVS based l2 Firewall driver for FWaaS v2"


Work Items