ACK to this one and its 2/2 with the following question: David and I came to the conclusion that rule creation for FGCP does not map to the DC FW API well. For FW rule listing and deletion there is no issue.
Without rule creation, do we still need to advertise these two features? (I suppose so because they are relevant to rule listing, but want to make sure) Background of the rule creation mapping problem: While implementing rule creation for FGCP I identified another issue: the FGCP FW rule creation API requires one to set the rule id (number). This number is used for two purposes: 1. With having Accept and Deny rules, rule order is important. The rule id is the index where the rule should be placed into the rule table. 2. FGCP instances are in Systems with possibly multiple network segments. So rules can apply for traffic from Internet to instances in the 1st, 2nd or 3rd network segment, or back, or from 1st to 2nd network segment, or from 2nd to 3rd, etc. Each path has its own id prefix. So specifying an index at rule creation works for FGCP, it is not portable. Regards, Dies Koper > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Tuesday, 21 August 2012 7:08 PM > To: [email protected] > Subject: [PATCH 1/2] Adds log_rule and rule_action features for Firewalls and > associated attributes for the FirewallRule model and create operation > > From: marios <[email protected]> > > > Signed-off-by: marios <[email protected]> > --- > server/lib/deltacloud/collections/firewalls.rb | 7 +++++++ > server/lib/deltacloud/drivers/features.rb | 16 ++++++++++++++++ > server/lib/deltacloud/models/firewall_rule.rb | 2 ++ > 3 files changed, 25 insertions(+) > > diff --git a/server/lib/deltacloud/collections/firewalls.rb > b/server/lib/deltacloud/collections/firewalls.rb > index 603a62e..7b9618a 100644 > --- a/server/lib/deltacloud/collections/firewalls.rb > +++ b/server/lib/deltacloud/collections/firewalls.rb > @@ -16,6 +16,8 @@ > module Deltacloud::Collections > class Firewalls < Base > > + include Deltacloud::Features > + > set :capability, lambda { |m| driver.respond_to? m } > > check_features :for => lambda { |c, f| driver.class.has_feature?(c, f) } > @@ -85,6 +87,11 @@ module Deltacloud::Collections > param :protocol, :required, :string, ['tcp','udp','icmp'], "Transport layer > protocol for the rule" > param :port_from, :required, :string, [], "Start of port range for the rule" > param :port_to, :required, :string, [], "End of port range for the rule" > + param :rule_action, :optional, :string, ['accept', 'deny'], "Specify if > + firewall rule is 'accept' or 'deny' - only if 'rule_action' feature" > + param :log_rule, :optional, :string, ['true', 'false'], "Specify if log should > + be made when firewall rule is triggered - values are 'true' or 'false' > + - only if 'log_rule' feature" > control do > #source IPs from params > addresses = params.inject([]){|result,current| result << current.last unless > current.grep(/^ip[-_]address/i).empty?; result} > diff --git a/server/lib/deltacloud/drivers/features.rb > b/server/lib/deltacloud/drivers/features.rb > index bc8bb5b..740ba4b 100644 > --- a/server/lib/deltacloud/drivers/features.rb > +++ b/server/lib/deltacloud/drivers/features.rb > @@ -156,6 +156,22 @@ module Deltacloud > end > end > > + feature :rule_action, :for => :firewalls do > + description "Specify if firewall rule is 'accept' or 'deny'" > + operation :create_firewall_rule do > + param :rule_action, :string, :optional > + end > + end > + > + feature :log_rule, :for => :firewalls do > + description "Specify if log should be made when firewall rule is actioned - > values are 'true' or 'false'" > + operation :create_firewall_rule do > + param :log_rule, :string, :optional > + end > + > + end > + > + > end > > end > diff --git a/server/lib/deltacloud/models/firewall_rule.rb > b/server/lib/deltacloud/models/firewall_rule.rb > index 3959eb6..6a8de21 100644 > --- a/server/lib/deltacloud/models/firewall_rule.rb > +++ b/server/lib/deltacloud/models/firewall_rule.rb > @@ -20,4 +20,6 @@ class FirewallRule < BaseModel > attr_accessor :port_to > attr_accessor :sources > attr_accessor :direction #ingress egress > + attr_accessor :rule_action #Accept/Deny - for FGCP, advertised :rule_action > feature > + attr_accessor :log_rule #true/false - for FGCP, advertised by :log_rule feature > end > -- > 1.7.11.4 >
