[openstack-dev] [neutron][qos][fwaas] service groups vs. traffic classifiers

Sean M. Collins sean at coreitpro.com
Tue Nov 10 13:30:56 UTC 2015


On Mon, Nov 09, 2015 at 07:58:34AM EST, Jay Pipes wrote:
> In short, my preference, in order, would be:
> 
> 1) Enhance/evolve the existing security-groups and security-group-rules API
> in Neutron to support more generic classification of traffic from L2 to L7,
> using mostly the modeling that Sean has put together in his PoC library.

<snip>

> 2) Keep the security-group API as-is to keep outward compatibility with AWS.
> Create a single, new service-groups and service-group-rules API for L2 to L7
> traffic classification using mostly the modeling that Sean has put together.
> Remove the networking-sfc repo and obselete the classifier spec. Not sure
> what should/would happen to the FWaaS API, frankly.
> 

I'd prefer that since we're already redesigning the Firewall API that we
go ahead and make the Firewall API more expressive, so users can
classify L2 to L7 traffic and then make filtering decisions. Let's not
complicate the Security Group API with more advanced features that we
just bolt on. So my vote is for #2 - with slight adjustments. I still
think the networking-sfc repo should stay around, and that collaboration
on the common classifier framework should happen, so that we can start
both projects (sfc and fwaas) with a common datamodel for the classifier
piece.

As to the REST-ful API for creating classifiers, I don't know if it
should reside in the networking-sfc project. It's a big enough piece
that it will most likely need to be its own endpoint and repo, and have
stakeholders from other projects, not just networking-sfc. That will
take time and quite a bit of wrangling, so I'd like to defer that for a
bit and just work on all the services having the same data model, where
we can make changes quickly, since they are not visible to API
consumers.

-- 
Sean M. Collins



More information about the OpenStack-dev mailing list