[openstack-dev] [neutron] [fwaas] Proposal for the evolution of the FWaaS API

bo zhaobo bzhaojyathousandy at gmail.com
Fri May 11 01:15:53 UTC 2018

This proposal Looks like more flexible for the network traffic security.
For current FW V2, we support  2 security levels for a single Neutron port.
One is security group, the other is firewall group,  but this looks like
support more. And the firewall depolyer/dispatcher need to own some network
knowledge for configuring the specific fw rule. So it's necessary to
provide a good user experience, like security tags or some thing.

2018-05-11 1:03 GMT+08:00 Miguel Lavalle <miguel at mlavalle.com>:

> Hi,
> As discussed during the weekly FWaaS IRC meeting, there is a new proposal
> for the evolution of the FWaaS API here:  https://docs.google.com/
> document/d/1lnzV6pv841pX43sM76gF3aZ7jceRH3FPbKaGpPumWgs/edit
> This proposal is based on the current FWaaS V2.0 API as documented here:
> https://specs.openstack.org/openstack/neutron-specs/specs/
> mitaka/fwaas-api-2.0.html. The key additional features proposed are:
>    1. Firewall groups not only associate with ports but also with
>    subnets, other firewall groups and dynamic rules. A list of excluded ports
>    can be specified
>    2. Dynamic rules make possible the association with Nova instances by
>    security tags and VM names
>    3. Source and destination address groups can be lists
>    4. A re-direct action in firewall rules
>    5. Priority attribute in firewall policies
>    6. A default rule resource
> The agreement in the meeting was for the team to help identify the areas
> where there is incremental features in the proposal compared to what is
> currently in place plus the what is being already planned for
> implementation. A spec will be developed based on that increment. We will
> meet in Vancouver to continue the conversation face to face
> Best regards
> Miguel
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180511/c95f651d/attachment.html>

More information about the OpenStack-dev mailing list