deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "marios@redhat.com" <mandr...@redhat.com>
Subject Re: [PATCH 1/2] Adds log_rule and rule_action features for Firewalls and associated attributes for the FirewallRule model and create operation
Date Thu, 30 Aug 2012 07:18:12 GMT
On 29/08/12 11:20, Koper, Dies wrote:
> ACK to this one and its 2/2 with the following question:
> 
> David and I came to the conclusion that rule creation for FGCP does not
> map to the DC FW API well.
> For FW rule listing and deletion there is no issue.
> 
> Without rule creation, do we still need to advertise these two features?
> (I suppose so because they are relevant to rule listing, but want to
> make sure)

no in this case I don't think we need the features. We can keep the
attributes "rule_action" and "log_rule" on the FirewallRule object  - so
you can assign values to these when you get a response back from FGCP.
Advertising features is more about letting a client know about the extra
parameters that can be given for a particular operation.

The other thing needed then is an explanation in the API of what these
'rule_action' and 'log_rule' attributes returned in a firewall rule
mean. I'll have to rework these patches to a) remove the features and b)
write up some docs,

marios


> 
> Background of the rule creation mapping problem:
> While implementing rule creation for FGCP I identified another issue:
> the FGCP FW rule creation API requires one to set the rule id (number).
> This number is used for two purposes:
> 
> 1. With having Accept and Deny rules, rule order is important. The rule
> id is the index where the rule should be placed into the rule table.
> 2. FGCP instances are in Systems with possibly multiple network
> segments. So rules can apply for traffic from Internet to instances in
> the 1st, 2nd or 3rd network segment, or back, or from 1st to 2nd network
> segment, or from 2nd to 3rd, etc. Each path has its own id prefix.
> So specifying an index at rule creation works for FGCP, it is not
> portable.
> 
> Regards,
> Dies Koper
> 
> 
> 
>> -----Original Message-----
>> From: marios@redhat.com [mailto:marios@redhat.com]
>> Sent: Tuesday, 21 August 2012 7:08 PM
>> To: dev@deltacloud.apache.org
>> Subject: [PATCH 1/2] Adds log_rule and rule_action features for
> Firewalls and
>> associated attributes for the FirewallRule model and create operation
>>
>> From: marios <marios@redhat.com>
>>
>>
>> Signed-off-by: marios <marios@redhat.com>
>> ---
>>  server/lib/deltacloud/collections/firewalls.rb |  7 +++++++
>>  server/lib/deltacloud/drivers/features.rb      | 16 ++++++++++++++++
>>  server/lib/deltacloud/models/firewall_rule.rb  |  2 ++
>>  3 files changed, 25 insertions(+)
>>
>> diff --git a/server/lib/deltacloud/collections/firewalls.rb
>> b/server/lib/deltacloud/collections/firewalls.rb
>> index 603a62e..7b9618a 100644
>> --- a/server/lib/deltacloud/collections/firewalls.rb
>> +++ b/server/lib/deltacloud/collections/firewalls.rb
>> @@ -16,6 +16,8 @@
>>  module Deltacloud::Collections
>>    class Firewalls < Base
>>
>> +    include Deltacloud::Features
>> +
>>      set :capability, lambda { |m| driver.respond_to? m }
>>
>>      check_features :for => lambda { |c, f|
> driver.class.has_feature?(c, f) }
>> @@ -85,6 +87,11 @@ module Deltacloud::Collections
>>          param :protocol,  :required, :string, ['tcp','udp','icmp'],
> "Transport layer
>> protocol for the rule"
>>          param :port_from, :required, :string, [], "Start of port
> range for the rule"
>>          param :port_to,   :required, :string, [], "End of port range
> for the rule"
>> +        param :rule_action, :optional, :string, ['accept', 'deny'],
> "Specify if
>> +                firewall rule is 'accept' or 'deny' - only if
> 'rule_action' feature"
>> +        param :log_rule, :optional, :string, ['true', 'false'],
> "Specify if log should
>> +                 be made when firewall rule is triggered - values are
> 'true' or 'false'
>> +                   - only if 'log_rule' feature"
>>          control do
>>            #source IPs from params
>>            addresses =  params.inject([]){|result,current| result <<
> current.last unless
>> current.grep(/^ip[-_]address/i).empty?; result}
>> diff --git a/server/lib/deltacloud/drivers/features.rb
>> b/server/lib/deltacloud/drivers/features.rb
>> index bc8bb5b..740ba4b 100644
>> --- a/server/lib/deltacloud/drivers/features.rb
>> +++ b/server/lib/deltacloud/drivers/features.rb
>> @@ -156,6 +156,22 @@ module Deltacloud
>>          end
>>        end
>>
>> +      feature :rule_action, :for => :firewalls do
>> +        description "Specify if firewall rule is 'accept' or 'deny'"
>> +        operation :create_firewall_rule do
>> +          param :rule_action, :string, :optional
>> +        end
>> +      end
>> +
>> +      feature :log_rule, :for => :firewalls do
>> +        description "Specify if log should be made when firewall rule
> is actioned -
>> values are 'true' or 'false'"
>> +        operation :create_firewall_rule do
>> +          param :log_rule, :string, :optional
>> +        end
>> +
>> +      end
>> +
>> +
>>      end
>>
>>    end
>> diff --git a/server/lib/deltacloud/models/firewall_rule.rb
>> b/server/lib/deltacloud/models/firewall_rule.rb
>> index 3959eb6..6a8de21 100644
>> --- a/server/lib/deltacloud/models/firewall_rule.rb
>> +++ b/server/lib/deltacloud/models/firewall_rule.rb
>> @@ -20,4 +20,6 @@ class FirewallRule < BaseModel
>>    attr_accessor :port_to
>>    attr_accessor :sources
>>    attr_accessor :direction #ingress egress
>> +  attr_accessor :rule_action #Accept/Deny - for FGCP, advertised
> :rule_action
>> feature
>> +  attr_accessor :log_rule #true/false - for FGCP, advertised by
> :log_rule feature
>>  end
>> --
>> 1.7.11.4
>>
> 
> 


Mime
View raw message