Add REJECT action rule for fwaas

https://blueprints.launchpad.net/neutron/+spec/fwaas-reject-rule

Add REJECT into action rule of FWaaS. Action rule of current FWaaS contains only ALLOW/DENY. DENY simply discards the data without a response, but REJECT returns a response. Connection source by this response can be judged to be “connection was refused”.

Problem Description

Action rule of current FWaaS contains only ALLOW/DENY. DENY simply discards the data without a response, but REJECT returns a response. Without REJECT feature, end users cannot know whether their accesses are super late or rejected. This REJECT feature will be a good option for FWaaS.

Proposed Change

Add REJECT into action rule of FWaaS. Connection source by this response can be judged to be “connection was refused”.

Data Model Impact

The db schema will be changed as below. * add “reject” into action column in firewall_rules table.

REST API Impact

Add REJECT into action rule of FWaaS.

Attribute Name Type Access Default Value Validation/ Conversion Description
action string RW, all ‘deny’ ‘allow’, ‘deny’, or ‘reject’ Action rule

Security Impact

None.

Notifications Impact

None.

Other End User Impact

None.

Performance Impact

None.

IPv6 Impact

None.

Other Deployer Impact

None.

Developer Impact

Another project: * Horizon

Community Impact

None.

Alternatives

None.

Implementation

Assignee(s)

Primary assignee:
Higuchi Toshiaki <higuchi@mxj.nes.nec.co.jp>

Work Items

The work items include:

  1. Implement neutron-fwaas changes.
  2. Implement python-neutronclient changes for CLI.
  3. Implement Horizon changes.

Dependencies

None.

Testing

Tempest Tests

Testing will be added to firewall tests.

Functional Tests

Scenario tests will be added to validate REJECT action rule of firewall.

API Tests

Testing will be added to firewall tests.

Documentation Impact

Admin guide will be updated action rule of FWaaS.

User Documentation

User guide will be updated action rule of FWaaS.

Developer Documentation

None.

References

None.