FWaaS - Firewall Explicit Commit Operation
In Neutron Firewall as a Service (FWaaS), we currently support an implicit commit mode, wherein a change made to a firewall_rule is propagated immediately to all the firewalls that use this rule (via their firewall_policy association), and the rule gets applied in the backend firewalls. This might be acceptable, however this is different from the explicit commit semantics which most firewalls support. Having an explicit commit operation ensures that multiple rules can be applied atomically, as opposed to in the implicit case where each rule is applied atomically and thus opens up the possibility of security holes between two successive rule applications.
Blueprint information
- Status:
- Complete
- Approver:
- Mark McClain
- Priority:
- Undefined
- Drafter:
- Sumit Naiksatam
- Direction:
- Needs approval
- Assignee:
- Sumit Naiksatam
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Needs Code Review
- Milestone target:
- next
- Started by
- Sumit Naiksatam
- Completed by
- Armando Migliaccio
Related branches
Related bugs
Sprints
Whiteboard
Nov-13-2015(armax): If someone is interested in pursuing it, this must be re-submitted according to guidelines defined in [1], especially in light of fwaas v2 api proposal.
[1] http://
-----------------
Moving to Next since this will be discussed at the next summit.
Gerrit topic: https:/
Addressed by: https:/
FWaaS - Firewall Explicit Commit Operation
Work Items
Dependency tree
* Blueprints in grey have been implemented.