FWaas extension for customized service and service group

Registered by Yi Sun

Service is used to define type of traffic, this blueprint creates an extension that allows administrator to create customized service objects. The customized service objects can be grouped together to form a service group object.
A service object can have following attributes:
 Name
„ Transport protocol
„ Source and destination port numbers (ranges) for services using TCP or UDP„
 The ICMP type and code for the services using ICMP
 Service„ Timeout value

The transport protocol and port numbers are mandatory.

People are asking about the relationship between the service object and the protocol/port that can be defined on the rule. I think service object can cover the current "on-rule" protocol/port. But just for the users who want to create a simple rule, I'm thinking still to keep the original "on-rule" protocol/port options. But we will not allow user to use service object and "on-rule" protocol/port at the same time.

rvice group:
        -------------------------------------------------------------------------------------------------------------------
        | Attribute name | Type | Default Value | Required | CRUD | Description |
        -------------------------------------------------------------------------------------------------------------------
        | id | uuid | generated | Y | R | |
        -------------------------------------------------------------------------------------------------------------------
        | name | String | empty | N | CRU |Name of service group |
        --------------------------------------------------------------------------------------------------------------------
        | description | String | empty | N | CRU | |
        --------------------------------------------------------------------------------------------------------------------
        | tenant id | uuid | empty | Y | R |Id of tenant that creates|
        | | | | | |service group |
        -------------------------------------------------------------------------------------------------
        | service objects | list | empty list | N | CRU |List of service objects |
        -------------------------------------------------------------------------------------------------

Service object:

        --------------------------------------------------------------------------------------------------
        | Attribute name | Type | Default Value | Required | CRUD |Description |
        --------------------------------------------------------------------------------------------------
        | id | uuid | generated | Y | R | |
        --------------------------------------------------------------------------------------------------
        | name | String | empty | N | CRU |Name of the service object|
        --------------------------------------------------------------------------------------------------
        | service group id | uuid | empty | N | CRU |Foregin key to service grp|
        --------------------------------------------------------------------------------------------------
        | protocol | string | empty | Y | CRU |'tcp','udp','icmp','any'..|
        --------------------------------------------------------------------------------------------------
        | source_port | short | empty | N | CRU | |
        --------------------------------------------------------------------------------------------------
        | destination_port | short | empty | N | CRU | |
        --------------------------------------------------------------------------------------------------
        | icmp_code | char | empty | N | CRU | |
        --------------------------------------------------------------------------------------------------
        | icmp_type | char | empty | N | CRU | |
        --------------------------------------------------------------------------------------------------
        | timeout | short | empty | N | CRU | |
        --------------------------------------------------------------------------------------------------
        | tenant_id | uuid | empty | Y | R | |
        --------------------------------------------------------------------------------------------------

Blueprint information

Status:
Complete
Approver:
Kyle Mestery
Priority:
Low
Drafter:
Yi Sun
Direction:
Approved
Assignee:
Yi Sun
Definition:
Obsolete
Series goal:
None
Implementation:
Needs Code Review
Milestone target:
None
Started by
Yi Sun
Completed by
Armando Migliaccio

Related branches

Sprints

Whiteboard

Nov-13-2015(armax): If someone is interested in pursuing it, this must be re-submitted according to guidelines defined in [1], especially in light of fwaas v2 api proposal.

[1] http://docs.openstack.org/developer/neutron/policies/blueprints.html

-----------------
Thanks, I will re-submit.

Sept-1-2015(armax): I can't seem to figure out the status of this effort, this surely won't make it to L3

March-17 (mestery): Out of Kilo.

December-23 (mestery): Welcome to Kilo-3.

September-3 (mestery): Moving out of Juno, needs to be proposed again for Kilo.

16-July (mestery): Targeting Juno-3.

Sumit: Regarding the "on-rule" protocol/port, I think I agree with your approach. Let's see what the rest of the folks have to say.

Yi: I'm considering to move the extension to a common neutron extension than a fwaas extension since other service or plugin may also have needs for this

Gerrit topic: https://review.openstack.org/#q,topic:bp/fwaas-customized-service,n,z

Addressed by: https://review.openstack.org/#/c/106274/
-In FWaaS, administrator can use port range and protocol inside firewall rules
to define traffic type. But we don't have a flexible way to allow user to specify more
than one type of traffic in the same rule.To support different traffic type
Addressed by: https://review.openstack.org/#/c/105873/

-In FWaaS, administrator can use port range and protocol inside firewall rules
to define traffic type. But we don't have a flexible way to allow user to specify more
than one type of traffic in the same rule.To support different traffic type, with the
same source, destination address and action, different rules need to be created.
Gerrit topic: https://review.openstack.org/#q,topic:bp/blueprint,n,z

Addressed by: https://review.openstack.org/94133
    Service group blueprint blueprint fwaas-customized-service

Addressed by: https://review.openstack.org/106274
    Implements: blueprint fwaas-customized-service for customized service

Addressed by: https://review.openstack.org/106918
    Implements: blueprint fwaas-customized-service for customized service

Gerrit topic: https://review.openstack.org/#q,topic:bp/creates,n,z

Addressed by: https://review.openstack.org/131568
    Service group and Service Object for firewall as a service

Addressed by: https://review.openstack.org/131596
    Service group and Service Object for firewall as a service

Addressed by: https://review.openstack.org/159692
    Add service group as a firewall customized service

Addressed by: https://review.openstack.org/161076
    Add service group as a firewall customized service

Addressed by: https://review.openstack.org/200753
    The patchset implements scenario test for basic connectivity test using service group with FwaaS Implements: blueprint fwaas-customized-service for customized service

Addressed by: https://review.openstack.org/200778
    Add service group as a firewall customized service

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.