FWaaS - Firewall Explicit Commit Operation

Registered by Sumit Naiksatam on 2013-08-07

In Neutron Firewall as a Service (FWaaS), we currently support an implicit commit mode, wherein a change made to a firewall_rule is propagated immediately to all the firewalls that use this rule (via their firewall_policy association), and the rule gets applied in the backend firewalls. This might be acceptable, however this is different from the explicit commit semantics which most firewalls support. Having an explicit commit operation ensures that multiple rules can be applied atomically, as opposed to in the implicit case where each rule is applied atomically and thus opens up the possibility of security holes between two successive rule applications.

Blueprint information

Status:
Complete
Approver:
Mark McClain
Priority:
Undefined
Drafter:
Sumit Naiksatam
Direction:
Needs approval
Assignee:
Sumit Naiksatam
Definition:
Obsolete
Series goal:
None
Implementation:
Needs Code Review
Milestone target:
milestone icon next
Started by
Sumit Naiksatam on 2013-08-27
Completed by
Armando Migliaccio on 2015-11-13

Related branches

Sprints

Whiteboard

Nov-13-2015(armax): If someone is interested in pursuing it, this must be re-submitted according to guidelines defined in [1], especially in light of fwaas v2 api proposal.

[1] http://docs.openstack.org/developer/neutron/policies/blueprints.html

-----------------

Moving to Next since this will be discussed at the next summit.

Gerrit topic: https://review.openstack.org/#q,topic:bp/neutron-fwaas-explicit-commit,n,z

Addressed by: https://review.openstack.org/41353
    FWaaS - Firewall Explicit Commit Operation

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.