neutron

FWaaS - Firewall Explicit Commit Operation

Registered by Sumit Naiksatam on 2013-08-07

In Neutron Firewall as a Service (FWaaS), we currently support an implicit commit mode, wherein a change made to a firewall_rule is propagated immediately to all the firewalls that use this rule (via their firewall_policy association), and the rule gets applied in the backend firewalls. This might be acceptable, however this is different from the explicit commit semantics which most firewalls support. Having an explicit commit operation ensures that multiple rules can be applied atomically, as opposed to in the implicit case where each rule is applied atomically and thus opens up the possibility of security holes between two successive rule applications.

Read the full specification

Blueprint information

Status:: Complete

Approver:: Mark McClain

Priority:: Undefined

Drafter:: Sumit Naiksatam

Direction:: Needs approval

Assignee:: Sumit Naiksatam

Definition:: Obsolete

Series goal:: None

Implementation:: Needs Code Review

Milestone target:: next

Started by: Sumit Naiksatam on 2013-08-27

Completed by: Armando Migliaccio on 2015-11-13

Related branches

Related bugs

Sprints

Whiteboard

Nov-13-2015(armax): If someone is interested in pursuing it, this must be re-submitted according to guidelines defined in [1], especially in light of fwaas v2 api proposal.

[1] http://docs.openstack.org/developer/neutron/policies/blueprints.html

-----------------

Moving to Next since this will be discussed at the next summit.

Gerrit topic: https://review.openstack.org/#q,topic:bp/neutron-fwaas-explicit-commit,n,z

Addressed by: https://review.openstack.org/41353
FWaaS - Firewall Explicit Commit Operation

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

Rajesh Mohan