This proposal Looks like more flexible for the network traffic security. For current FW V2, we support 2 security levels for a single Neutron port. One is security group, the other is firewall group, but this looks like support more. And the firewall depolyer/dispatcher need to own some network knowledge for configuring the specific fw rule. So it's necessary to provide a good user experience, like security tags or some thing.
2018-05-11 1:03 GMT+08:00 Miguel Lavalle <[email protected]>: > Hi, > > As discussed during the weekly FWaaS IRC meeting, there is a new proposal > for the evolution of the FWaaS API here: https://docs.google.com/ > document/d/1lnzV6pv841pX43sM76gF3aZ7jceRH3FPbKaGpPumWgs/edit > > This proposal is based on the current FWaaS V2.0 API as documented here: > https://specs.openstack.org/openstack/neutron-specs/specs/ > mitaka/fwaas-api-2.0.html. The key additional features proposed are: > > 1. Firewall groups not only associate with ports but also with > subnets, other firewall groups and dynamic rules. A list of excluded ports > can be specified > 2. Dynamic rules make possible the association with Nova instances by > security tags and VM names > 3. Source and destination address groups can be lists > 4. A re-direct action in firewall rules > 5. Priority attribute in firewall policies > 6. A default rule resource > > The agreement in the meeting was for the team to help identify the areas > where there is incremental features in the proposal compared to what is > currently in place plus the what is being already planned for > implementation. A spec will be developed based on that increment. We will > meet in Vancouver to continue the conversation face to face > > Best regards > > Miguel > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
