[openstack-dev] [Neutron] FWaaS: Support for explicit commit

Sumit Naiksatam sumitnaiksatam at gmail.com
Wed Aug 7 22:40:16 UTC 2013

We had some discussion on this during the Neutron IRC meeting, and per
that discussion I have created a blueprint for this:

Further comments can be posted on the blueprint whiteboard and/or the
design spec doc.


On Fri, Aug 2, 2013 at 6:43 PM, Sumit Naiksatam
<sumitnaiksatam at gmail.com> wrote:
> Hi All,
> In Neutron Firewall as a Service (FWaaS), we currently support an
> implicit commit mode, wherein a change made to a firewall_rule is
> propagated immediately to all the firewalls that use this rule (via
> the firewall_policy association), and the rule gets applied in the
> backend firewalls. This might be acceptable, however this is different
> from the explicit commit semantics which most firewalls support.
> Having an explicit commit operation ensures that multiple rules can be
> applied atomically, as opposed to in the implicit case where each rule
> is applied atomically and thus opens up the possibility of security
> holes between two successive rule applications.
> So the proposal here is quite simple -
> * When any changes are made to the firewall_rules
> (added/deleted/updated), no changes will happen on the firewall (only
> the corresponding firewall_rule resources are modified).
> * We will support an explicit commit operation on the firewall
> resource. Any changes made to the rules since the last commit will now
> be applied to the firewall when this commit operation is invoked.
> * A show operation on the firewall will show a list of the currently
> committed rules, and also the pending changes.
> Kindly respond if you have any comments on this.
> Thanks,
> ~Sumit.

More information about the OpenStack-dev mailing list