Feature #3175

Implement Security Groups

Added by Carlos Martín over 6 years ago. Updated almost 6 years ago.

Status:ClosedStart date:11/28/2014
Priority:NormalDue date:
Assignee:Carlos Martín% Done:

100%

Category:Core & System
Target version:Release 4.12
Resolution:fixed Pull request:

Subtasks

Feature #3386: New package dependency: ipsetClosed


Related issues

Related to Backlog #3200: Create a security group to allow ESP (IP protocol 50) Closed 09/29/2014
Related to Backlog #3250: Implement Security Groups for Open vSwitch Pending 10/20/2014
Related to Bug #3424: Template update deletes legacy Firewall driver attributes... Closed 12/09/2014

Associated revisions

Revision 00990b33
Added by Carlos Martín over 6 years ago

Feature #3175: New Security Group pool in the core

Revision 6fbbef6b
Added by Carlos Martín over 6 years ago

Feature #3175: New onesecgroup command

Revision 73fb5018
Added by Carlos Martín over 6 years ago

Feature #3175: Add secgroup acl resource to CLI

Revision bb7a9720
Added by Carlos Martín over 6 years ago

Feature #3175: Make sec groups start with ID 100

Revision ed167a86
Added by Carlos Martín over 6 years ago

Feature #3175: Sec groups store the VMs using them

Revision 79c0a807
Added by Carlos Martín over 6 years ago

Feature #3175: Copy the Sec Group rules to the VM Template

Revision e5261f61
Added by Carlos Martín over 6 years ago

Feature #3175: Ask for SECGROUP USE auth in VM creation.

This only checks the sec groups requested directly in
each NIC/SECURITY_GROUPS. The sec groups added from the
vnet (and AR) are not checked for auth.

Revision a5068335
Added by Carlos Martín over 6 years ago

Feature #3175: Add a security group tab to sunstone

Revision 8be76699
Added by Carlos Martín over 6 years ago

Feature #3175: Migrate the sec group wizard to new non-modal mechanism

Revision fd7facdd
Added by Carlos Martín over 6 years ago

Feature #3175: First version of the sec groups wizard

Revision da3b9aec
Added by Carlos Martín over 6 years ago

Feature #3175: Security group definition for vnet, ar & nic

Revision 96073d24
Added by Carlos Martín over 6 years ago

Feature #3175: Fix bug in sec group table refresh

Revision 21eb57d2
Added by Carlos Martín over 6 years ago

Feature #3175: Sec group table in vnet AR update

Revision b6277c95
Added by Carlos Martín over 6 years ago

Feature #3175: Show selected security groups for vnets and AR info

Revision 33466283
Added by Carlos Martín over 6 years ago

Feature #3175: Move vnet creation wizard to new window model

Revision e0c31a7d
Added by Carlos Martín over 6 years ago

Feature #3175: New vnet update wizard

Revision 944f7ba8
Added by Carlos Martín over 6 years ago

Feature #3175: Update sec groups in Template nic

Revision 38ba60b2
Added by Carlos Martín over 6 years ago

Feature #3175: Change sec group TYPE to RULE_TYPE

Revision 7d0fe47f
Added by Jaime Melis over 6 years ago

Feature #3175: SG vnm driver now uses the model of TEMPLATE/SECURITY_GROUP_RULE and TEMPLATE/NIC/SECURITY_GROUPS

Revision 52d4e594
Added by Carlos Martín over 6 years ago

Feature #3175: Add vnet selector in sec group wizard

Revision 76218309
Added by Carlos Martín over 6 years ago

Feature #3175: Core support for RULE/NETWORK_ID

Each rule is copied once for each vnet's AR

Revision fba2dfc6
Added by Carlos Martín over 6 years ago

Feature #3175: Better security group ID management

Revision 9dc6d998
Added by Carlos Martín over 6 years ago

Feature #3175: Add extended info to NICs in vm view

Revision 72e71af8
Added by Carlos Martín over 6 years ago

Feature #3175: Refactor SG wizard

Revision 264e956c
Added by Carlos Martín over 6 years ago

Feature #3175: Improve SG info panel, and nic SG table

Revision 39fe2580
Added by Carlos Martín over 6 years ago

Feature #3175: Add advanced section to SG wizard

Revision 2d559db1
Added by Carlos Martín over 6 years ago

Feature #3175: SG update wizard

Revision a4e25675
Added by Carlos Martín over 6 years ago

Feature #3175: Remove dependency between VM and SG tabs

Revision 1ed22ef3
Added by Carlos Martín over 6 years ago

Feature #3175: Refactor SG wizard

Revision d4b42ca9
Added by Carlos Martín over 6 years ago

Feature #3175: Improve SG wizard

Revision 0d9e1d54
Added by Carlos Martín over 6 years ago

Feature #3175: Do not send icmp_type for 'all' value

Revision 9a816c7b
Added by Carlos Martín over 6 years ago

Feature #3175: Fix bug in SG clone

Revision 79098c5e
Added by Carlos Martín over 6 years ago

Feature #3175: Hide SG in VNet template attributes

Revision 19bff886
Added by Carlos Martín over 6 years ago

Feature #3175: Table for rules in onesecgroup show

Revision aba69312
Added by Carlos Martín over 6 years ago

Feature #3175: Table for SG rules in onevm show

Revision 863b82bb
Added by Carlos Martín over 6 years ago

Feature #3175: onedb migrator to add SG table

Revision 577d8c0a
Added by Carlos Martín over 6 years ago

Feature #3175: Fix SG tables after merge

Revision 62b241df
Added by Ruben S. Montero about 6 years ago

feature #3175: Move AR attributes for SG to class constants

Revision 475f8180
Added by Carlos Martín about 6 years ago

Feature #3175: Better management of nics without security groups

Revision 711528e6
Added by Jaime Melis about 6 years ago

Feature #3175: Include TEMPLATE/SECURITY_GROUP_RULE as a
required attribute to send to the vnm drivers.

Revision eb9e4a5c
Added by Jaime Melis about 6 years ago

Feature #3175: Better sg/post call that can handle exceptions.

Revision 05fa0053
Added by Jaime Melis about 6 years ago

Feature #3175: Handle IP/SIZE nets

Revision 86be6b27
Added by Jaime Melis about 6 years ago

Feature #3175: Add support for IPSEC

Revision c512885b
Added by Jaime Melis about 6 years ago

Feature #3175: Prevent deadlocks

Revision 349f0cea
Added by Jaime Melis about 6 years ago

Feature #3175: use proper vnet

Revision 0ad8c9dc
Added by Ruben S. Montero about 6 years ago

feature #3175: Rename split method

Revision ae7f8e86
Added by Ruben S. Montero about 6 years ago

feature #3175: Copy security group rules by reference

Revision 18786ec0
Added by Ruben S. Montero about 6 years ago

feature #3175: Cache SECURITY_GROUP parsing

Revision 461a448c
Added by Ruben S. Montero about 6 years ago

feature #3175: Review VirtualMachine method scope

Revision f7d9d692
Added by Ruben S. Montero about 6 years ago

feature #3175: Do not duplicate SG information

Revision c77ccc36
Added by Ruben S. Montero about 6 years ago

feature #3175: fix error bootstraping security group rules

Revision 8a22a6d8
Added by Ruben S. Montero about 6 years ago

feature #3175: Fix error rebuilding AR security groups

Revision 3f2ad72c
Added by Ruben S. Montero about 6 years ago

feature #3175: Check security group consistency

Revision b57ccf38
Added by Ruben S. Montero about 6 years ago

feature #3175: Add a default SG rule to allow outbound connections for every protocol

Revision bf6eb196
Added by Ruben S. Montero about 6 years ago

feature #3175: Security Group 0 cannot be deleted

Revision c6aa3d22
Added by Ruben S. Montero about 6 years ago

feature #3175: Solves memory leaks. Add SG 0 to new networks

Revision a3d90ce8
Added by Ruben S. Montero about 6 years ago

feature #3175: Remove duplicated sgs when the VNET is inserted

Revision aaba12f7
Added by Ruben S. Montero about 6 years ago

feature #3175: Group Users can create Security Groups

Revision f8c79024
Added by Carlos Martín about 6 years ago

Feature #3175: Change range labels to "port range"

Revision a1b6ff59
Added by Carlos Martín about 6 years ago

Feature #3175: New SG protocol "all" in sunstone

Revision 8542e8c2
Added by Carlos Martín about 6 years ago

Feature #3175: fix multiple choice table bug

Revision 69e16455
Added by Carlos Martín about 6 years ago

Feature #3175: New group wizard: add SG create rights

Revision 58b6be11
Added by Carlos Martín about 6 years ago

Feature #3175: Add SECGROUP to sunstone acls

Revision 514d2c3b
Added by Carlos Martín about 6 years ago

Feature #3175: Add secgroup tab to other yaml files

Revision b5867d8f
Added by Carlos Martín about 6 years ago

Feature #3175: Add default SG in onedb migrator

Revision 6dd181d8
Added by Carlos Martín about 6 years ago

Feature #3175: Add required fields to new rule wizard

Revision b34dbfd7
Added by Carlos Martín about 6 years ago

Feature #3175: Add a warning about the default SG

Revision 60634c34
Added by Jaime Melis about 6 years ago

Feature #3175: Improve SG driver
- Refactor and apply new ACCEPT => REJECT strategy
- Adds icmp_type support
- Do not apply duplicate rules
- Specific ipset per protocol
- Improve rule types readibility in the driver
- Adds support for mac and ip spoofing filtering
- Reorder rules

Revision ee369a7d
Added by Jaime Melis about 6 years ago

Feature #3175: Default security group allows also inbound and outbound connections

Revision 93dab46c
Added by Jaime Melis about 6 years ago

Feature #3175: Tooltips

Revision 8acf5440
Added by Jaime Melis about 6 years ago

Feature #3175: Add migrator rule to include inbound connections

Revision 771a213b
Added by Jaime Melis about 6 years ago

Feature #3175: Remove debugging info

Revision 63ba5d45
Added by Jaime Melis about 6 years ago

Feature #3175: Avoid errors if empty rules and apply an ACCEPT policy by default.

Revision 17d20ec6
Added by Jaime Melis about 6 years ago

Feature #3175: Rewrite the security_groups post script to handle the errors better.

Revision 492cf087
Added by Carlos Martín about 6 years ago

Feature #3175: Add spoofing checkboxes to vnet wizard

Revision c7d3b782
Added by Jaime Melis about 6 years ago

Feature #3175: Move SecurityGroups.rb to top vnm remotes dir

Revision fa5a5842
Added by Jaime Melis about 6 years ago

Feature #3175: Extract IPNetmask to its own library

Revision a5144a09
Added by Jaime Melis about 6 years ago

Feature #3175: FILTER_IP_SPOOFING and FILTER_MAC_SPOOFING must be set to "YES" (and not just any value) in order to be applied.

Revision 9568e0b2
Added by Jaime Melis about 6 years ago

Feature #3175: Function that returns true if the VM has deprecated firewall attributes

Revision a67b541f
Added by Jaime Melis about 6 years ago

Feature #3175: Call the new SG driver from the ebtables and 802.1q driver

Revision 6ebe8c13
Added by Jaime Melis about 6 years ago

Feature #3175: Firewall driver is compatible with the security groups driver

Revision 887f2f92
Added by Jaime Melis about 6 years ago

Feature #3175: FW drivers manage the SG drivers as well

Revision 2c07f7db
Added by Jaime Melis about 6 years ago

Feature #3175: Unify the way the filter driver is called and handled

Revision 91d8a4bb
Added by Jaime Melis about 6 years ago

Feature #3175: 802.1Q/clean and post are the same as fw/clean and post

Revision 1554aa98
Added by Jaime Melis about 6 years ago

Feature #3175: Tooltips for IP and MAC spoofing

Revision 84bfe1ed
Added by Jaime Melis about 6 years ago

Feature #3175: Add FILTER_MAC_SPOOFING and FILTER_IP_SPOOFING to the
inherited attributes in oned.conf

Revision 9816b0ba
Added by Carlos Martín about 6 years ago

Feature #3175: Remove white/black ports and icmp drop from sunstone

Previous Templates will have this information removed from the NIC
if the update wizard is used, see #3424

Revision bf64fa1b
Added by Ruben S. Montero about 6 years ago

feature #3175: Some refactor of SG classes

Revision 0e49cf00
Added by Ruben S. Montero about 6 years ago

feature #3175: More refactor

Revision fba4deec
Added by Ruben S. Montero about 6 years ago

feature #3175: Moved Nic and VM to new modules

Revision 536be6ec
Added by Ruben S. Montero about 6 years ago

feature #3175: Moved firewall and SG drivers to new module. Removed old files

Revision 90c3e9ff
Added by Ruben S. Montero about 6 years ago

feature #3175: Fix multiple syntax errors

Revision e3a71b17
Added by Ruben S. Montero about 6 years ago

feature #3175: Move VNM drivers to new modules

Revision f85a67b0
Added by Ruben S. Montero about 6 years ago

feature #3175: Fix bugs

Revision f0e9705f
Added by Ruben S. Montero about 6 years ago

feature #3175: Fix minor bugs. Add simple test

Revision 354cd84a
Added by Ruben S. Montero about 6 years ago

feature #3175: Fix bug

Revision 0961dc48
Added by Ruben S. Montero about 6 years ago

feature #3175: Rename OpenNebulaNetwork class to VNMDriver. Change filenames also

Revision 0fcbadea
Added by Ruben S. Montero about 6 years ago

feature #3175: Fix bugs. New method to access commands

Revision 14201668
Added by Ruben S. Montero about 6 years ago

feature #3175: Fix spoofing with non-SG VMs

Revision 169f5648
Added by Jaime Melis about 6 years ago

feature #3175: Check if RANGE has proper syntax

Revision d03fdf33
Added by Carlos Martín about 6 years ago

Feature #3471, #3175: Update onedb import-slave command for the new tables

Revision 7ed6071f
Added by Carlos Martín about 6 years ago

Feature #3471, #3175: Add VDC to ACL rules

SECGROUP was also missing from the java oca

Revision defd48cc
Added by Jaime Melis almost 5 years ago

Feature #3175: Fix 802.1Q call

Revision f6656808
Added by Jaime Melis almost 5 years ago

Feature #3175: Syntax errors

History

#1 Updated by Tino Vázquez over 6 years ago

  • Related to Backlog #3200: Create a security group to allow ESP (IP protocol 50) added

#2 Updated by Ruben S. Montero over 6 years ago

  • Related to Backlog #3250: Implement Security Groups for Open vSwitch added

#3 Updated by Carlos Martín about 6 years ago

Docs (work in progress) can be found in branch feature-3175 of the doc repo

#4 Updated by Carlos Martín about 6 years ago

  • Related to Bug #3424: Template update deletes legacy Firewall driver attributes (e.g. WHITE_PORTS...) added

#5 Updated by Ruben S. Montero about 6 years ago

  • Status changed from Assigned to Closed
  • Target version set to Release 4.12
  • Resolution set to fixed

Also available in: Atom PDF