You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltacloud.apache.org by David Lutterkort <lu...@redhat.com> on 2011/05/04 00:47:48 UTC
Firewalls
Marios is working on adding firewall support to Deltacloud; for now,
we'll only support EC2 security groups, but clearly we'll want to expand
that to other clouds (as much as other clouds support any notion of
firewalling through the API)
This mail describes how all this will work, and how we intend to
represent firewall rules etc. in the API.
XML representation
==================
A list of firewall rules will be described by the XML given below; for
now, we only support ingress rules.
<firewall href='...' id='sg-deadbeef'>
<name>newsecgroup</name>
<description>My spiffy group</description>
<owner_id>297467797945</owner>
<rules>
<!-- Allow any TCP traffic from instances in the sg-deadbeef group -->
<rule href='...' dir='ingress'>
<source>
<group id="sg-deadbeef" href='...'/>
</source>
<allow protocol="tcp">
<ports from="0" to="65535"/>
</allow>
</rule>
<!-- Allow any ICMP traffic from instances in the sg-deadbeef group -->
<rule href='...' dir='ingress'>
<source>
<group id="sg-deadbeef" href='...'/>
</source>
<allow protocol="icmp"/>
</rule>
<!-- Allow access to port 80 from 192.0.2.0/24 and from 198.51.100.0/24 -->
<rule href='...' dir='ingress'>
<source>
<address family='ipv4'>
<ip address='192.0.2.0' prefix='24'/>
<ip address='198.51.100.0' prefix='24'/>
</address>
</source>
<allow protocol="tcp"/>
<ports from="80" to="80"/>
</allow>
</rule>
</rules>
</firewall>
Operations
==========
(as always, URL's are mentioned here only for illustrative purposes, and
clients should get them from serevr responses, not by constructing them)
GET /api/firewalls
List all firewall rule sets
POST /api/firewalls?name=NAME
Create a new set of firewall rules. We might also support
posting with an XML body that describes the rules; that's TBD
GET /api/firwalls/sg-deadbeef
Produce description of a firewall rule set as given above.
POST /api/firewalls/sg-deadbeef/rules
Add a new rule to an existing set of firewall rules
DELETE /api/firewalls/sg-deadbeef/rules/foo
Delete a rule from a set of firewall rules
David