yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1508997] Re: Reusable firewall rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nate Johnston <1508997@xxxxxxxxxxxxxxxxxx>
Date: Tue, 08 Dec 2015 15:12:54 -0000
Reply-to: Bug 1508997 <1508997@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Determined that the requirements for this request are a duplicate of the
FWaaS API v2.0 spec: https://review.openstack.org/#/c/243873

** Changed in: neutron
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1508997

Title:
  Reusable firewall rules

Status in neutron:
  Invalid

Bug description:
  At Comcast we provide a very large private cloud. Each tenant uses
  firewall rules to filter traffic in order to accept traffic only from
  a given list of IPs. This can be done with security groups.   However
  there are two shortcomings with that approach.

  First, in my environment the list of IPs on which to manage ingress
  rules is very large due to non-contiguous IP space, so educating all
  tenants what these IP addresses are problematic at best.

  Second, notifying all tenants when IPs change is not a sustainable
  model.

  We would like to find a solution whereby rules much like security
  groups (that is, filtering by a combination of IP, protocol, and port)
  can be defined and tenants can apply these rules to a given port or
  network. This would allow an admin to define these rules to encompass
  different IP spaces and the tenants could apply them to their VM or
  network as they see fit.

  We would like to model the authorization of these rules so one role
  (such as admin) could create update or remove.  And then the rule
  could be shared with a Tenant or all Tenants to consume.

  Use Cases:

  - As a tenant, I have a heavy CPU workload for a large report. I want
  to spin up 40 instances and apply the "Reporting Infrastructure" rule
  to them.  This and would allow access only to the internal reporting
  infrastructure.

  - As a network admin, when the reporting team needs more IP space,and
  I want to add more subnets So I want to update the "Reporting
  Infrastructure" rule so that any VM that is already using that rule
  can access the new IP space.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1508997/+subscriptions

References

[Bug 1508997] [NEW] Reusable firewall rules
From: Charles Bitter, 2015-10-22