[Openstack-operators] Neutron Firewall as a Service

Sean M. Collins sean at coreitpro.com
Thu Nov 12 16:27:30 UTC 2015

Hello Operators!

Similar to the post that Kyle sent to this list about the VPNaaS[1]
API in Neutron, I would like to survey the operators to see who is
currently using the Firewall as a Service API.

Recently, a new core team was appointed, with a mission to gather
requirements[2], determine the gaps in the current API, and make changes
where necessary to make the API more compelling to users and operators.

The new team is currently putting together an API specification, which
will make changes to the API. The guiding thesis (in my
mind) is that the current FwaaS API, which inserts firewalls at the
router, is not flexible enough.

We are looking to make the new API more flexible, and will be iterating
on a spec in neutron-specs[3]. The spec was just posted the other day,
and we are currently just gathering up all the work that has been
discussed within the fwaas team over the past few months, so do not be
alarmed that the spec is in flux. I will be sure to e-mail the ops list
once things settle down a bit, so that it can be reviewed by the folks
we hope will find the API useful enough, to actually deploy.

Gearman and others made a presentation at the Tokyo summit with some of
our thoughts, which you may want to review[4].

Finally, we want to know how important backwards compatibility is.
Similar to how Paul sent a mail on the mailing list[5] asking if it was
alright to make incompatible changes, we'd also like to solicit feedback
as well.

It is my hope that we can create migrations and migrate existing data to
whatever our new model is, but if it is not possible, and there is a
binary choice between making a change and preserving backwards
compatibility, the choice would be to break. Obviously the real world is
not black and white and will likely not give me such an easy choice, but
this will at least give you some insight into my thinking.

Thank you for your time - please do join us in the FwaaS IRC meeting if
you'd like to participate![6]

[1]: http://lists.openstack.org/pipermail/openstack-operators/2015-August/007888.html

[2]: http://lists.openstack.org/pipermail/openstack-dev/2015-July/069784.html

[3]: https://review.openstack.org/#/c/243873/2/specs/mitaka/fwaas-api-2.0.rst,cm

[4]: https://www.openstack.org/summit/tokyo-2015/videos/presentation/openstack-neutron-fwaas-roadmap

[5]: http://lists.openstack.org/pipermail/openstack-operators/2015-August/007976.html

[6]: http://eavesdrop.openstack.org/#Firewall_as_a_Service_(FWaaS)_Team_Meeting
Sean M. Collins

More information about the OpenStack-operators mailing list