On 29/08/12 11:20, Koper, Dies wrote: > ACK to this one and its 2/2 with the following question: > > David and I came to the conclusion that rule creation for FGCP does not > map to the DC FW API well. > For FW rule listing and deletion there is no issue. > > Without rule creation, do we still need to advertise these two features? > (I suppose so because they are relevant to rule listing, but want to > make sure)
no in this case I don't think we need the features. We can keep the attributes "rule_action" and "log_rule" on the FirewallRule object - so you can assign values to these when you get a response back from FGCP. Advertising features is more about letting a client know about the extra parameters that can be given for a particular operation. The other thing needed then is an explanation in the API of what these 'rule_action' and 'log_rule' attributes returned in a firewall rule mean. I'll have to rework these patches to a) remove the features and b) write up some docs, marios > > Background of the rule creation mapping problem: > While implementing rule creation for FGCP I identified another issue: > the FGCP FW rule creation API requires one to set the rule id (number). > This number is used for two purposes: > > 1. With having Accept and Deny rules, rule order is important. The rule > id is the index where the rule should be placed into the rule table. > 2. FGCP instances are in Systems with possibly multiple network > segments. So rules can apply for traffic from Internet to instances in > the 1st, 2nd or 3rd network segment, or back, or from 1st to 2nd network > segment, or from 2nd to 3rd, etc. Each path has its own id prefix. > So specifying an index at rule creation works for FGCP, it is not > portable. > > Regards, > Dies Koper > > > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> Sent: Tuesday, 21 August 2012 7:08 PM >> To: [email protected] >> Subject: [PATCH 1/2] Adds log_rule and rule_action features for > Firewalls and >> associated attributes for the FirewallRule model and create operation >> >> From: marios <[email protected]> >> >> >> Signed-off-by: marios <[email protected]> >> --- >> server/lib/deltacloud/collections/firewalls.rb | 7 +++++++ >> server/lib/deltacloud/drivers/features.rb | 16 ++++++++++++++++ >> server/lib/deltacloud/models/firewall_rule.rb | 2 ++ >> 3 files changed, 25 insertions(+) >> >> diff --git a/server/lib/deltacloud/collections/firewalls.rb >> b/server/lib/deltacloud/collections/firewalls.rb >> index 603a62e..7b9618a 100644 >> --- a/server/lib/deltacloud/collections/firewalls.rb >> +++ b/server/lib/deltacloud/collections/firewalls.rb >> @@ -16,6 +16,8 @@ >> module Deltacloud::Collections >> class Firewalls < Base >> >> + include Deltacloud::Features >> + >> set :capability, lambda { |m| driver.respond_to? m } >> >> check_features :for => lambda { |c, f| > driver.class.has_feature?(c, f) } >> @@ -85,6 +87,11 @@ module Deltacloud::Collections >> param :protocol, :required, :string, ['tcp','udp','icmp'], > "Transport layer >> protocol for the rule" >> param :port_from, :required, :string, [], "Start of port > range for the rule" >> param :port_to, :required, :string, [], "End of port range > for the rule" >> + param :rule_action, :optional, :string, ['accept', 'deny'], > "Specify if >> + firewall rule is 'accept' or 'deny' - only if > 'rule_action' feature" >> + param :log_rule, :optional, :string, ['true', 'false'], > "Specify if log should >> + be made when firewall rule is triggered - values are > 'true' or 'false' >> + - only if 'log_rule' feature" >> control do >> #source IPs from params >> addresses = params.inject([]){|result,current| result << > current.last unless >> current.grep(/^ip[-_]address/i).empty?; result} >> diff --git a/server/lib/deltacloud/drivers/features.rb >> b/server/lib/deltacloud/drivers/features.rb >> index bc8bb5b..740ba4b 100644 >> --- a/server/lib/deltacloud/drivers/features.rb >> +++ b/server/lib/deltacloud/drivers/features.rb >> @@ -156,6 +156,22 @@ module Deltacloud >> end >> end >> >> + feature :rule_action, :for => :firewalls do >> + description "Specify if firewall rule is 'accept' or 'deny'" >> + operation :create_firewall_rule do >> + param :rule_action, :string, :optional >> + end >> + end >> + >> + feature :log_rule, :for => :firewalls do >> + description "Specify if log should be made when firewall rule > is actioned - >> values are 'true' or 'false'" >> + operation :create_firewall_rule do >> + param :log_rule, :string, :optional >> + end >> + >> + end >> + >> + >> end >> >> end >> diff --git a/server/lib/deltacloud/models/firewall_rule.rb >> b/server/lib/deltacloud/models/firewall_rule.rb >> index 3959eb6..6a8de21 100644 >> --- a/server/lib/deltacloud/models/firewall_rule.rb >> +++ b/server/lib/deltacloud/models/firewall_rule.rb >> @@ -20,4 +20,6 @@ class FirewallRule < BaseModel >> attr_accessor :port_to >> attr_accessor :sources >> attr_accessor :direction #ingress egress >> + attr_accessor :rule_action #Accept/Deny - for FGCP, advertised > :rule_action >> feature >> + attr_accessor :log_rule #true/false - for FGCP, advertised by > :log_rule feature >> end >> -- >> 1.7.11.4 >> > >
