Implement Security Groups
|Assignee:||Carlos Martín||% Done:|
|Category:||Core & System|
|Target version:||Release 4.12|
Feature #3175: Ask for SECGROUP USE auth in VM creation.
This only checks the sec groups requested directly in
each NIC/SECURITY_GROUPS. The sec groups added from the
vnet (and AR) are not checked for auth.
Feature #3175: SG vnm driver now uses the model of TEMPLATE/SECURITY_GROUP_RULE and TEMPLATE/NIC/SECURITY_GROUPS
Feature #3175: Core support for RULE/NETWORK_ID
Each rule is copied once for each vnet's AR
Feature #3175: Include TEMPLATE/SECURITY_GROUP_RULE as a
required attribute to send to the vnm drivers.
feature #3175: Add a default SG rule to allow outbound connections for every protocol
Feature #3175: Improve SG driver
- Refactor and apply new ACCEPT => REJECT strategy
- Adds icmp_type support
- Do not apply duplicate rules
- Specific ipset per protocol
- Improve rule types readibility in the driver
- Adds support for mac and ip spoofing filtering
- Reorder rules
Feature #3175: Default security group allows also inbound and outbound connections
Feature #3175: Rewrite the security_groups post script to handle the errors better.
Feature #3175: FILTER_IP_SPOOFING and FILTER_MAC_SPOOFING must be set to "YES" (and not just any value) in order to be applied.
Feature #3175: Function that returns true if the VM has deprecated firewall attributes
Feature #3175: Add FILTER_MAC_SPOOFING and FILTER_IP_SPOOFING to the
inherited attributes in oned.conf