bo zhaobo
2018-05-11 01:15:53 UTC
This proposal Looks like more flexible for the network traffic security.
For current FW V2, we support 2 security levels for a single Neutron port.
One is security group, the other is firewall group, but this looks like
support more. And the firewall depolyer/dispatcher need to own some network
knowledge for configuring the specific fw rule. So it's necessary to
provide a good user experience, like security tags or some thing.
For current FW V2, we support 2 security levels for a single Neutron port.
One is security group, the other is firewall group, but this looks like
support more. And the firewall depolyer/dispatcher need to own some network
knowledge for configuring the specific fw rule. So it's necessary to
provide a good user experience, like security tags or some thing.
Hi,
As discussed during the weekly FWaaS IRC meeting, there is a new proposal
for the evolution of the FWaaS API here: https://docs.google.com/
document/d/1lnzV6pv841pX43sM76gF3aZ7jceRH3FPbKaGpPumWgs/edit
https://specs.openstack.org/openstack/neutron-specs/specs/
1. Firewall groups not only associate with ports but also with
subnets, other firewall groups and dynamic rules. A list of excluded ports
can be specified
2. Dynamic rules make possible the association with Nova instances by
security tags and VM names
3. Source and destination address groups can be lists
4. A re-direct action in firewall rules
5. Priority attribute in firewall policies
6. A default rule resource
The agreement in the meeting was for the team to help identify the areas
where there is incremental features in the proposal compared to what is
currently in place plus the what is being already planned for
implementation. A spec will be developed based on that increment. We will
meet in Vancouver to continue the conversation face to face
Best regards
Miguel
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
As discussed during the weekly FWaaS IRC meeting, there is a new proposal
for the evolution of the FWaaS API here: https://docs.google.com/
document/d/1lnzV6pv841pX43sM76gF3aZ7jceRH3FPbKaGpPumWgs/edit
https://specs.openstack.org/openstack/neutron-specs/specs/
1. Firewall groups not only associate with ports but also with
subnets, other firewall groups and dynamic rules. A list of excluded ports
can be specified
2. Dynamic rules make possible the association with Nova instances by
security tags and VM names
3. Source and destination address groups can be lists
4. A re-direct action in firewall rules
5. Priority attribute in firewall policies
6. A default rule resource
The agreement in the meeting was for the team to help identify the areas
where there is incremental features in the proposal compared to what is
currently in place plus the what is being already planned for
implementation. A spec will be developed based on that increment. We will
meet in Vancouver to continue the conversation face to face
Best regards
Miguel
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev