[openstack-dev] [Neutron] FWaaS: Support for explicit commit
patnala003 at gmail.com
Sun Aug 4 06:50:16 UTC 2013
So all the other Network Services like LBaaS, VPNaaS as well also has
to support implicit and explicit 'Commit' modes for configuration.
It is certainly a good idea to support implicit and explicit modes. It is
good if all the other network services also follows the same.
On Sat, Aug 3, 2013 at 7:13 AM, Sumit Naiksatam <sumitnaiksatam at gmail.com>wrote:
> Hi All,
> In Neutron Firewall as a Service (FWaaS), we currently support an
> implicit commit mode, wherein a change made to a firewall_rule is
> propagated immediately to all the firewalls that use this rule (via
> the firewall_policy association), and the rule gets applied in the
> backend firewalls. This might be acceptable, however this is different
> from the explicit commit semantics which most firewalls support.
> Having an explicit commit operation ensures that multiple rules can be
> applied atomically, as opposed to in the implicit case where each rule
> is applied atomically and thus opens up the possibility of security
> holes between two successive rule applications.
> So the proposal here is quite simple -
> * When any changes are made to the firewall_rules
> (added/deleted/updated), no changes will happen on the firewall (only
> the corresponding firewall_rule resources are modified).
> * We will support an explicit commit operation on the firewall
> resource. Any changes made to the rules since the last commit will now
> be applied to the firewall when this commit operation is invoked.
> * A show operation on the firewall will show a list of the currently
> committed rules, and also the pending changes.
> Kindly respond if you have any comments on this.
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev