Re: [openstack-dev] [neutron] [fwaas] Proposal for the evolution of the FWaaS API

[bo zhaobo]

This proposal Looks like more flexible for the network traffic security.
For current FW V2, we support  2 security levels for a single Neutron port.
One is security group, the other is firewall group,  but this looks like
support more. And the firewall depolyer/dispatcher need to own some network
knowledge for configuring the specific fw rule. So it's necessary to
provide a good user experience, like security tags or some thing.

2018-05-11 1:03 GMT+08:00 Miguel Lavalle :

> Hi,
>
> As discussed during the weekly FWaaS IRC meeting, there is a new proposal
> for the evolution of the FWaaS API here:  https://docs.google.com/
> document/d/1lnzV6pv841pX43sM76gF3aZ7jceRH3FPbKaGpPumWgs/edit
>
> This proposal is based on the current FWaaS V2.0 API as documented here:
> https://specs.openstack.org/openstack/neutron-specs/specs/
> mitaka/fwaas-api-2.0.html. The key additional features proposed are:
>
>1. Firewall groups not only associate with ports but also with
>subnets, other firewall groups and dynamic rules. A list of excluded ports
>can be specified
>2. Dynamic rules make possible the association with Nova instances by
>security tags and VM names
>3. Source and destination address groups can be lists
>4. A re-direct action in firewall rules
>5. Priority attribute in firewall policies
>6. A default rule resource
>
> The agreement in the meeting was for the team to help identify the areas
> where there is incremental features in the proposal compared to what is
> currently in place plus the what is being already planned for
> implementation. A spec will be developed based on that increment. We will
> meet in Vancouver to continue the conversation face to face
>
> Best regards
>
> Miguel
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [neutron] [fwaas] Proposal for the evolution of the FWaaS API

[Miguel Lavalle]

Hi,

As discussed during the weekly FWaaS IRC meeting, there is a new proposal
for the evolution of the FWaaS API here:
https://docs.google.com/document/d/1lnzV6pv841pX43sM76gF3aZ7jceRH3FPbKaGpPumWgs/edit

This proposal is based on the current FWaaS V2.0 API as documented here:
https://specs.openstack.org/openstack/neutron-specs/specs/mitaka/fwaas-api-2.0.html.
The key additional features proposed are:

   1. Firewall groups not only associate with ports but also with subnets,
   other firewall groups and dynamic rules. A list of excluded ports can be
   specified
   2. Dynamic rules make possible the association with Nova instances by
   security tags and VM names
   3. Source and destination address groups can be lists
   4. A re-direct action in firewall rules
   5. Priority attribute in firewall policies
   6. A default rule resource

The agreement in the meeting was for the team to help identify the areas
where there is incremental features in the proposal compared to what is
currently in place plus the what is being already planned for
implementation. A spec will be developed based on that increment. We will
meet in Vancouver to continue the conversation face to face

Best regards

Miguel
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev