FWaas extension for customized service and service group
Service is used to define type of traffic, this blueprint creates an extension that allows administrator to create customized service objects. The customized service objects can be grouped together to form a service group object.
A service object can have following attributes:
Name
Transport protocol
Source and destination port numbers (ranges) for services using TCP or UDP
The ICMP type and code for the services using ICMP
Service Timeout value
The transport protocol and port numbers are mandatory.
People are asking about the relationship between the service object and the protocol/port that can be defined on the rule. I think service object can cover the current "on-rule" protocol/port. But just for the users who want to create a simple rule, I'm thinking still to keep the original "on-rule" protocol/port options. But we will not allow user to use service object and "on-rule" protocol/port at the same time.
rvice group:
| Attribute name | Type | Default Value | Required | CRUD | Description |
| id | uuid | generated | Y | R | |
| name | String | empty | N | CRU |Name of service group |
| description | String | empty | N | CRU | |
| tenant id | uuid | empty | Y | R |Id of tenant that creates|
| | | | | |service group |
| service objects | list | empty list | N | CRU |List of service objects |
Service object:
| Attribute name | Type | Default Value | Required | CRUD |Description |
| id | uuid | generated | Y | R | |
| name | String | empty | N | CRU |Name of the service object|
| service group id | uuid | empty | N | CRU |Foregin key to service grp|
| protocol | string | empty | Y | CRU |'tcp',
| source_port | short | empty | N | CRU | |
| destination_port | short | empty | N | CRU | |
| icmp_code | char | empty | N | CRU | |
| icmp_type | char | empty | N | CRU | |
| timeout | short | empty | N | CRU | |
| tenant_id | uuid | empty | Y | R | |
Blueprint information
- Status:
- Complete
- Approver:
- Kyle Mestery
- Priority:
- Low
- Drafter:
- Yi Sun
- Direction:
- Approved
- Assignee:
- Yi Sun
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Needs Code Review
- Milestone target:
- None
- Started by
- Yi Sun
- Completed by
- Armando Migliaccio
Related branches
Related bugs
Sprints
Whiteboard
Nov-13-2015(armax): If someone is interested in pursuing it, this must be re-submitted according to guidelines defined in [1], especially in light of fwaas v2 api proposal.
[1] http://
-----------------
Thanks, I will re-submit.
Sept-1-2015(armax): I can't seem to figure out the status of this effort, this surely won't make it to L3
March-17 (mestery): Out of Kilo.
December-23 (mestery): Welcome to Kilo-3.
September-3 (mestery): Moving out of Juno, needs to be proposed again for Kilo.
16-July (mestery): Targeting Juno-3.
Sumit: Regarding the "on-rule" protocol/port, I think I agree with your approach. Let's see what the rest of the folks have to say.
Yi: I'm considering to move the extension to a common neutron extension than a fwaas extension since other service or plugin may also have needs for this
Gerrit topic: https:/
Addressed by: https:/
-In FWaaS, administrator can use port range and protocol inside firewall rules
to define traffic type. But we don't have a flexible way to allow user to specify more
than one type of traffic in the same rule.To support different traffic type
Addressed by: https:/
-In FWaaS, administrator can use port range and protocol inside firewall rules
to define traffic type. But we don't have a flexible way to allow user to specify more
than one type of traffic in the same rule.To support different traffic type, with the
same source, destination address and action, different rules need to be created.
Gerrit topic: https:/
Addressed by: https:/
Service group blueprint blueprint fwaas-customize
Addressed by: https:/
Implements: blueprint fwaas-customize
Addressed by: https:/
Implements: blueprint fwaas-customize
Gerrit topic: https:/
Addressed by: https:/
Service group and Service Object for firewall as a service
Addressed by: https:/
Service group and Service Object for firewall as a service
Addressed by: https:/
Add service group as a firewall customized service
Addressed by: https:/
Add service group as a firewall customized service
Addressed by: https:/
The patchset implements scenario test for basic connectivity test using service group with FwaaS Implements: blueprint fwaas-customize
Addressed by: https:/
Add service group as a firewall customized service