neutron

[RFE] Scheduling of Firewall rules

Bug #1507866 reported by Reedip
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Undecided
Unassigned

Bug Description

(A)Summary : Firewall rules in Openstack does not support scheduling
(B)Further information :
(B.1)High level description: Currently Openstack firewall rules do not allow scheduling. When a router is associated with a firewall, the rules making the firewall are active for the whole duration till the rule is a part of the firewall.
However, users may require a scheduled action in the firewall, so that a single rule can act upon the firewall packets for a specific time period.After the time period expires, the rule can change its behavior on the same packets.
(B.2)Pre-conditions: The following requirement does not have an explicit pre-conditon.
Note:
- This is applicable for all tenants
(B.3)Step-by-step reproduction steps: NA, as this feature does not currently exist in Openstack.
(B.4)Expected output: User should be able to create a Firewall rule which can be scheduled, to provide extended support to the user.
(B.5)Actual output: Such a facility in the firewall rule is not available.
(B.6)Version:
- OpenStack version (Specific stable branch, or git hash if from trunk): Tag ID : c1310f32fbb6dfa958bb31152ee5b492b177c6cb
- Linux distro, kernel.: Ubuntu 14.04
- DevStack or other _deployment_ mechanism? : Devstack
- Environment: Neutron with Firewall Extensions, on a single node machine.
  However, the above requirement is independent of the environment.
(C)Perceived severity: Medium

See original description
Tags: fwaas rfe
Reedip (reedip-banerjee-deactivatedaccount)
Changed in neutron:
assignee: nobody → Reedip (reedip-banerjee)
Reedip (reedip-banerjee-deactivatedaccount)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/237832

Changed in neutron:
status: New → In Progress
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote : Re: Scheduling of Firewall rules

Should be treated as a feature request. This involves changes to API and DB model. For your own sake, consider halting development until we decided the path forward.

tags: added: rfe
Changed in neutron:
status: In Progress → Confirmed
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

We should check with the fwaas team to see whether this has legs

Changed in neutron:
status: In Progress → New
Revision history for this message
Miguel Angel Ajo (mangelajo) wrote :

Correct, please discuss with the fwaas team.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-fwaas (master)

Change abandoned by Reedip (<email address hidden>) on branch: master
Review: https://review.openstack.org/237832
Reason: Will be taking this up in January.
Abandoning meanwhile

Revision history for this message
Henry Gessau (gessau) wrote :

Submitter indicates that work will resume on this "in January" (2016?). Submitter has been requested to discuss with FWaaS team. Marking as incomplete until discussion has taken place.

summary: - Scheduling of Firewall rules
+ [RFE] Scheduling of Firewall rules
Changed in neutron:
status: New → Incomplete
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Until FwaaS v2 settles, this is basically blocked.

Changed in neutron:
assignee: Reedip (reedip-banerjee) → nobody
Revision history for this message
Reedip (reedip-banerjee-deactivatedaccount) wrote :

@Henry/Armando:
Yes, I am waiting for the FWaaS v2 to be completed, following which this will be re-proposed.

P.S.: Can I still keep it assigned to me, if its ok?

Revision history for this message
Henry Gessau (gessau) wrote :

@Reedip, an RFE is different from a regular bug. As the submitter you are essentially the owner of the RFE. When the RFE is not being actively implemented it is better to leave it unassigned.

Revision history for this message
Sean M. Collins (scollins) wrote : Re: [Bug 1507866] Re: [RFE] Scheduling of Firewall rules

Honestly the FwaaS API v2 won't really change anything when it comes to
this RFE. I would still have the same concerns about this API that I
had, when I commented on the spec.

To whit:

> Based on the discussion we had at the summit, I don't think this API
> change is needed at this point in time. Unless I am mistaken, firewall
> rules can be added and removed from a firewall policy by a client of
> the FwaaS API dynamically, so there is little reason to support adding
> date fields to firewall rules.

> During the presentation at the summit, my overall thought was - just
> because iptables has support for adding date/time to firewall rules,
> doesn't mean that every firewall driver will, and also that the API
> demoed basically was a passthrough straight to the IPTables CLI where
> the date/time was added. There was no abstraction, if I recall
> correctly.
--
Sean M. Collins

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Sean: did I interpret your comment right? If the landscape changes, we can reassess.

Changed in neutron:
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.