I think the support of the subnet should be part of address object or address book object. We should not eliminate the possibility to run firewall as an add-on service on top of a virtual router. As matter fact, there are many VM based firewall providing certain level of routing service anyway. And such a firewall should be able to use the router interfaces to construct the zone concept. With both address object and zone, we should be able to support the most of requirements.
Yi On Oct 29, 2013, at 10:59 PM, Sumit Naiksatam <sumitnaiksa...@gmail.com> wrote: > I believe people would like to define the zone based on the router port > (corresponding to that router's interface). The zone definition at port-level > granularity allows one to do that. > > I think your other question is answered as well (firewall will be supported > on particular routers). > > Thanks, > ~Sumit. > > > On Mon, Oct 28, 2013 at 7:12 PM, <f...@vmware.com> wrote: > My mainly concern is using neutron port for zones may cause > confusion/misconfig while you can have two ports connected to same > network/subnet in different zone. Using network, or subnet (in the form of > network/subnet uuid), on the other hand, is more general and can still be > mapped to any interface that has port in those network/subnet. > > Also, which "ports" we're talking about here? Router's port (but a Firewall > doesn't necessary associate with a router in current model)? Firewall's ports > (does Firewall even have ports now? In addition, this means we're not able to > create a rule with zones before a Firewall is created)? Definitely not VM's > port.... > > Thanks, > > -Kaiwei > > > > From: "Rajesh Mohan" <rajesh.mli...@gmail.com> > To: "OpenStack Development Mailing List" <openstack-dev@lists.openstack.org> > Sent: Thursday, October 24, 2013 2:48:39 PM > Subject: Re: [openstack-dev] [Neutron] FWaaS IceHouse summit prep and IRC > meeting > > This is good discussion. > > +1 for using Neutron ports for defining zones. I see Kaiwei's point but for > DELL, neutron ports makes more sense. > > I am not sure if I completely understood the bump-in-the-wire/zone > discussion. DELL security appliance allows using different zones with > bump-in-the-wire. If the firewall is inserted in bump-in-the-wire mode > between router and LAN hosts, then it does makes sense to apply different > zones on ports connected to LAN and Router. The there are cases where the > end-users apply same zones on both sides but this is a decision we should > leave to end customers. We should allow configuring zones in bump-in-the-wire > mode as well. > > > > > > On Wed, Oct 23, 2013 at 12:08 PM, Sumit Naiksatam <sumitnaiksa...@gmail.com> > wrote: > Log from today's meeting: > http://eavesdrop.openstack.org/meetings/networking_fwaas/2013/networking_fwaas.2013-10-23-18.02.log.html > > > Action items for some of the folks included. > > Please join us for the meeting next week. > > Thanks, > ~Sumit. > > On Tue, Oct 22, 2013 at 2:00 PM, Sumit Naiksatam <sumitnaiksa...@gmail.com> > wrote: > Reminder - we will have the Neutron FWaaS IRC meeting tomorrow Wednesday > 18:00 UTC (11 AM PDT). > > Agenda: > * Tempest tests > * Definition and use of zones > * Address Objects > * Counts API > * Service Objects > * Integration with service type framework > * Open discussion - any other topics you would like to bring up for > discussion during the summit. > > https://wiki.openstack.org/wiki/Meetings/FWaaS > > Thanks, > ~Sumit. > > > On Sun, Oct 13, 2013 at 1:56 PM, Sumit Naiksatam <sumitnaiksa...@gmail.com> > wrote: > Hi All, > > For the next of phase of FWaaS development we will be considering a number of > features. I am proposing an IRC meeting on Oct 16th Wednesday 18:00 UTC (11 > AM PDT) to discuss this. > > The etherpad for the summit session proposal is here: > https://etherpad.openstack.org/p/icehouse-neutron-fwaas > > and has a high level list of features under consideration. > > Thanks, > ~Sumit. > > > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
