[openstack-dev] [neutron] [fwaas] Proposal for the evolution of the FWaaS API
bo zhaobo
bzhaojyathousandy at gmail.com
Fri May 11 01:15:53 UTC 2018
This proposal Looks like more flexible for the network traffic security.
For current FW V2, we support 2 security levels for a single Neutron port.
One is security group, the other is firewall group, but this looks like
support more. And the firewall depolyer/dispatcher need to own some network
knowledge for configuring the specific fw rule. So it's necessary to
provide a good user experience, like security tags or some thing.
2018-05-11 1:03 GMT+08:00 Miguel Lavalle <miguel at mlavalle.com>:
> Hi,
>
> As discussed during the weekly FWaaS IRC meeting, there is a new proposal
> for the evolution of the FWaaS API here: https://docs.google.com/
> document/d/1lnzV6pv841pX43sM76gF3aZ7jceRH3FPbKaGpPumWgs/edit
>
> This proposal is based on the current FWaaS V2.0 API as documented here:
> https://specs.openstack.org/openstack/neutron-specs/specs/
> mitaka/fwaas-api-2.0.html. The key additional features proposed are:
>
> 1. Firewall groups not only associate with ports but also with
> subnets, other firewall groups and dynamic rules. A list of excluded ports
> can be specified
> 2. Dynamic rules make possible the association with Nova instances by
> security tags and VM names
> 3. Source and destination address groups can be lists
> 4. A re-direct action in firewall rules
> 5. Priority attribute in firewall policies
> 6. A default rule resource
>
> The agreement in the meeting was for the team to help identify the areas
> where there is incremental features in the proposal compared to what is
> currently in place plus the what is being already planned for
> implementation. A spec will be developed based on that increment. We will
> meet in Vancouver to continue the conversation face to face
>
> Best regards
>
> Miguel
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180511/c95f651d/attachment.html>
More information about the OpenStack-dev
mailing list