We had some discussion on this during the Neutron IRC meeting, and per that discussion I have created a blueprint for this: https://blueprints.launchpad.net/neutron/+spec/neutron-fwaas-explicit-commit
Further comments can be posted on the blueprint whiteboard and/or the design spec doc. Thanks, ~Sumit. On Fri, Aug 2, 2013 at 6:43 PM, Sumit Naiksatam <sumitnaiksa...@gmail.com> wrote: > Hi All, > > In Neutron Firewall as a Service (FWaaS), we currently support an > implicit commit mode, wherein a change made to a firewall_rule is > propagated immediately to all the firewalls that use this rule (via > the firewall_policy association), and the rule gets applied in the > backend firewalls. This might be acceptable, however this is different > from the explicit commit semantics which most firewalls support. > Having an explicit commit operation ensures that multiple rules can be > applied atomically, as opposed to in the implicit case where each rule > is applied atomically and thus opens up the possibility of security > holes between two successive rule applications. > > So the proposal here is quite simple - > > * When any changes are made to the firewall_rules > (added/deleted/updated), no changes will happen on the firewall (only > the corresponding firewall_rule resources are modified). > > * We will support an explicit commit operation on the firewall > resource. Any changes made to the rules since the last commit will now > be applied to the firewall when this commit operation is invoked. > > * A show operation on the firewall will show a list of the currently > committed rules, and also the pending changes. > > Kindly respond if you have any comments on this. > > Thanks, > ~Sumit. _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
