cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sheng Yang" <sh...@yasker.org>
Subject Re: Review Request: Changes for Egress firewall rules feature support in SRX
Date Tue, 09 Apr 2013 18:23:07 GMT


> On April 8, 2013, 11:25 p.m., Sheng Yang wrote:
> > plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java,
line 830
> > <https://reviews.apache.org/r/10336/diff/1/?file=278647#file278647line830>
> >
> >     What's these trafficType and guestVlan for? Didn't see them in the scope.
> 
> Jayapal Reddy wrote:
>     1. The traffic type is for identifying the rule type whether it is Egress/Ingress.
>     2. Guest Vlan is used for crating unique egress firewall rule name.

I meant, I didn't see the reference of them anywhere in the code.


> On April 8, 2013, 11:25 p.m., Sheng Yang wrote:
> > plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java,
line 2572
> > <https://reviews.apache.org/r/10336/diff/1/?file=278647#file278647line2572>
> >
> >     I am not sure if you need create application for egress rules. Ingress firewall
don't need it. I suppose applications are for security policy rather than firewall filter?
> 
> Jayapal Reddy wrote:
>     Application for egress required because in case of ingress security policies while
deleting a policy it is deleting the applications which are not used by it.
>     
>     Example:
>     1. security policy ingress rule for tcp-22-22
>     2. Egress rule for tcp-22-22
>     3. If we don't add separate egress application name there will be one application
with name tcp-22-22
>     4. Deleting security policy ingress rule will delete tcp-22-22 application which
needed by egress rule.
>        So we need separate application name for egress/
>     
>

In fact I'm talking about firewall filter, which doesn't need applications. But seems you're
using security policy for egress purpose. Then it should be fine.


- Sheng


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/10336/#review18804
-----------------------------------------------------------


On April 9, 2013, 6:12 a.m., Jayapal Reddy wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/10336/
> -----------------------------------------------------------
> 
> (Updated April 9, 2013, 6:12 a.m.)
> 
> 
> Review request for cloudstack, Abhinandan Prateek, Sheng Yang, and Murali Reddy.
> 
> 
> Description
> -------
> 
> Added egress firewall rules support for SRX device.
> Supported networks:
> 1. Advanced Isolated networks.
> 
> 
> This addresses bug CLOUDSTACK-779.
> 
> 
> Diffs
> -----
> 
>   api/src/com/cloud/agent/api/to/FirewallRuleTO.java 7f77936 
>   plugins/network-elements/juniper-srx/src/com/cloud/network/element/JuniperSRXExternalFirewallElement.java
af0912a 
>   plugins/network-elements/juniper-srx/src/com/cloud/network/resource/JuniperSrxResource.java
8482168 
>   scripts/network/juniper/application-add.xml 6603850 
>   scripts/network/juniper/security-policy-add.xml 632a17d 
>   server/src/com/cloud/network/ExternalFirewallDeviceManagerImpl.java 1fc32d0 
>   server/src/com/cloud/upgrade/dao/Upgrade410to420.java f39038f 
> 
> Diff: https://reviews.apache.org/r/10336/diff/
> 
> 
> Testing
> -------
> 
> Unit Testing done.
> 
> 
> Thanks,
> 
> Jayapal Reddy
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message