[openstack-dev] [Neutron] FWaaS: Support for explicit commit

balaji patnala patnala003 at gmail.com
Sun Aug 4 06:50:16 UTC 2013 

Hi Sumit,

So all the other Network Services like LBaaS, VPNaaS as well also has
to support  implicit and explicit  'Commit' modes for configuration.

It is certainly a good idea to support implicit and explicit modes. It is
good if all the other network services also follows the same.

regards,
balaji
On Sat, Aug 3, 2013 at 7:13 AM, Sumit Naiksatam <sumitnaiksatam at gmail.com>wrote:

> Hi All,
>
> In Neutron Firewall as a Service (FWaaS), we currently support an
> implicit commit mode, wherein a change made to a firewall_rule is
> propagated immediately to all the firewalls that use this rule (via
> the firewall_policy association), and the rule gets applied in the
> backend firewalls. This might be acceptable, however this is different
> from the explicit commit semantics which most firewalls support.
> Having an explicit commit operation ensures that multiple rules can be
> applied atomically, as opposed to in the implicit case where each rule
> is applied atomically and thus opens up the possibility of security
> holes between two successive rule applications.
>
> So the proposal here is quite simple -
>
> * When any changes are made to the firewall_rules
> (added/deleted/updated), no changes will happen on the firewall (only
> the corresponding firewall_rule resources are modified).
>
> * We will support an explicit commit operation on the firewall
> resource. Any changes made to the rules since the last commit will now
> be applied to the firewall when this commit operation is invoked.
>
> * A show operation on the firewall will show a list of the currently
> committed rules, and also the pending changes.
>
> Kindly respond if you have any comments on this.
>
> Thanks,
> ~Sumit.
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130804/3a16eacc/attachment.html>

More information about the OpenStack-dev mailing list