[openstack-dev] [Neutron] FWaaS: Support for explicit commit

Stephen Gran stephen.gran at theguardian.com
Sat Aug 3 08:43:40 UTC 2013

On 03/08/13 02:43, Sumit Naiksatam wrote:
> Hi All,
> In Neutron Firewall as a Service (FWaaS), we currently support an
> implicit commit mode, wherein a change made to a firewall_rule is
> propagated immediately to all the firewalls that use this rule (via
> the firewall_policy association), and the rule gets applied in the
> backend firewalls. This might be acceptable, however this is different
> from the explicit commit semantics which most firewalls support.
> Having an explicit commit operation ensures that multiple rules can be
> applied atomically, as opposed to in the implicit case where each rule
> is applied atomically and thus opens up the possibility of security
> holes between two successive rule applications.

This all seems quite reasonable.

> So the proposal here is quite simple -
> * When any changes are made to the firewall_rules
> (added/deleted/updated), no changes will happen on the firewall (only
> the corresponding firewall_rule resources are modified).

I would leave the default as it currently is, and make this an optional 
mode that can be triggered with a parameter.  This seems to me to 
preserve the principal of least surprise for everyday operations, but 
allow for more complicated things when needed.

> * We will support an explicit commit operation on the firewall
> resource. Any changes made to the rules since the last commit will now
> be applied to the firewall when this commit operation is invoked.
> * A show operation on the firewall will show a list of the currently
> committed rules, and also the pending changes.
> Kindly respond if you have any comments on this.

Stephen Gran
Senior Systems Integrator - theguardian.com
Please consider the environment before printing this email.
Visit theguardian.com   

On your mobile, download the Guardian iPhone app theguardian.com/iphone and our iPad edition theguardian.com/iPad   
Save up to 32% by subscribing to the Guardian and Observer - choose the papers you want and get full digital access.
Visit subscribe.theguardian.com

This e-mail and all attachments are confidential and may also
be privileged. If you are not the named recipient, please notify
the sender and delete the e-mail and all attachments immediately.
Do not disclose the contents to another person. You may not use
the information for any purpose, or store, or copy, it in any way.
Guardian News & Media Limited is not liable for any computer
viruses or other material transmitted with or as part of this
e-mail. You should employ virus checking software.
Guardian News & Media Limited
A member of Guardian Media Group plc
Registered Office
PO Box 68164
Kings Place
90 York Way
Registered in England Number 908396


More information about the OpenStack-dev mailing list