yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1657153] [NEW] Scheduling of Firewalls

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Reedip <reedip.banerjee@xxxxxxxxxxxxxxxxxx>
Date: Tue, 17 Jan 2017 15:03:55 -0000
Reply-to: Bug 1657153 <1657153@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:


Currently Openstack firewalls lack scheduling. Openstack firewalls 
allow a particular rule to be active through-out its lifespan, 
till it is a part of a Firewall.Most firewalls now a days support  
the facility to schedule a policy/rule, so that more variations 
and extended usablitiy can be provided to the user.

Problem Description
===================

While efficient in its working, Openstack firewalls do not support Scheduling 
mechanism.When a firewall is created and associated with a router, the rules 
governing the firewall are active the whole time.
However, in order to extend the user support, and to provide a more detailed 
firewall experience, scheduling of the firewall rules is possible. Scheduling 
allows a firewall to be 'Active' for the duration specified, and for the rest 
of the duration, remain 'Passive'.

Use Cases:
a) User creates a firewall rule with no duration specified.
- Scenario : Regression
- User Impact: No change from previous releases. The firewall will operate 
based like it used to earlier, as no duration is defined.

b) User creates a firewall rule with Action in Deny/Accept/Reject for a 
specific time-period.
- Scenario : New
- User Impact: The enforced rules would be active and Deny/Accept/Reject all
the specific packets for the duration specified. After that, the rule would
expire. Packets will not be filtered after the specific duration.For the 
remaining duration,User can create a new rule with a separate action,if 
required.

Limitation
-----------
Currently Firewall rules can only be scheduled on a daily basis. That is 
because although 'time' module may come pre-packed with iptables, the 'date'
module does not, and therefore day/date wise filtering is currently not 
available in this release.
However, it can be easily added if the date module is released for iptables.

IP Tables allow filteration of Packets based on time, using a 'time' module ,
which is proposed to be used in this patch.

** Affects: neutron
     Importance: Undecided
     Assignee: Reedip (reedip-banerjee)
         Status: New


** Tags: fwaas

** Changed in: neutron
     Assignee: (unassigned) => Reedip (reedip-banerjee)

** Tags added: fwaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1657153

Title:
  Scheduling of Firewalls

Status in neutron:
  New

Bug description:
  
  Currently Openstack firewalls lack scheduling. Openstack firewalls 
  allow a particular rule to be active through-out its lifespan, 
  till it is a part of a Firewall.Most firewalls now a days support  
  the facility to schedule a policy/rule, so that more variations 
  and extended usablitiy can be provided to the user.

  Problem Description
  ===================

  While efficient in its working, Openstack firewalls do not support Scheduling 
  mechanism.When a firewall is created and associated with a router, the rules 
  governing the firewall are active the whole time.
  However, in order to extend the user support, and to provide a more detailed 
  firewall experience, scheduling of the firewall rules is possible. Scheduling 
  allows a firewall to be 'Active' for the duration specified, and for the rest 
  of the duration, remain 'Passive'.

  Use Cases:
  a) User creates a firewall rule with no duration specified.
  - Scenario : Regression
  - User Impact: No change from previous releases. The firewall will operate 
  based like it used to earlier, as no duration is defined.

  b) User creates a firewall rule with Action in Deny/Accept/Reject for a 
  specific time-period.
  - Scenario : New
  - User Impact: The enforced rules would be active and Deny/Accept/Reject all
  the specific packets for the duration specified. After that, the rule would
  expire. Packets will not be filtered after the specific duration.For the 
  remaining duration,User can create a new rule with a separate action,if 
  required.

  Limitation
  -----------
  Currently Firewall rules can only be scheduled on a daily basis. That is 
  because although 'time' module may come pre-packed with iptables, the 'date'
  module does not, and therefore day/date wise filtering is currently not 
  available in this release.
  However, it can be easily added if the date module is released for iptables.

  IP Tables allow filteration of Packets based on time, using a 'time' module ,
  which is proposed to be used in this patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1657153/+subscriptions