You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltacloud.apache.org by David Lutterkort <lu...@redhat.com> on 2011/05/04 00:47:48 UTC

Firewalls

Marios is working on adding firewall support to Deltacloud; for now,
we'll only support EC2 security groups, but clearly we'll want to expand
that to other clouds (as much as other clouds support any notion of
firewalling through the API)

This mail describes how all this will work, and how we intend to
represent firewall rules etc. in the API.

XML representation
==================

A list of firewall rules will be described by the XML given below; for
now, we only support ingress rules.
        
        <firewall href='...' id='sg-deadbeef'>
          <name>newsecgroup</name>
          <description>My spiffy group</description>
          <owner_id>297467797945</owner>
          <rules>
            <!-- Allow any TCP traffic from instances in the sg-deadbeef group -->
            <rule href='...' dir='ingress'>
              <source>
                <group id="sg-deadbeef" href='...'/>
              </source>
              <allow protocol="tcp">
                <ports from="0" to="65535"/>
              </allow>
            </rule>
            <!-- Allow any ICMP traffic from instances in the sg-deadbeef group -->
            <rule href='...' dir='ingress'>
              <source>
                <group id="sg-deadbeef" href='...'/>
              </source>
              <allow protocol="icmp"/>
            </rule>
            <!-- Allow access to port 80 from 192.0.2.0/24 and from 198.51.100.0/24 -->
            <rule href='...' dir='ingress'>
              <source>
                <address family='ipv4'>
        	  <ip address='192.0.2.0' prefix='24'/>
                  <ip address='198.51.100.0' prefix='24'/>
                </address>
              </source>
              <allow protocol="tcp"/>
                <ports from="80" to="80"/>
              </allow>
            </rule>
          </rules>
        </firewall>


Operations
==========

(as always, URL's are mentioned here only for illustrative purposes, and
clients should get them from serevr responses, not by constructing them)

GET /api/firewalls

        List all firewall rule sets

POST /api/firewalls?name=NAME

        Create a new set of firewall rules. We might also support
        posting with an XML body that describes the rules; that's TBD

GET /api/firwalls/sg-deadbeef

        Produce description of a firewall rule set as given above.
        
POST /api/firewalls/sg-deadbeef/rules

        Add a new rule to an existing set of firewall rules
        
DELETE /api/firewalls/sg-deadbeef/rules/foo

        Delete a rule from a set of firewall rules

David