Hi Sumit, So all the other Network Services like LBaaS, VPNaaS as well also has to support implicit and explicit 'Commit' modes for configuration.
It is certainly a good idea to support implicit and explicit modes. It is good if all the other network services also follows the same. regards, balaji On Sat, Aug 3, 2013 at 7:13 AM, Sumit Naiksatam <sumitnaiksa...@gmail.com>wrote: > Hi All, > > In Neutron Firewall as a Service (FWaaS), we currently support an > implicit commit mode, wherein a change made to a firewall_rule is > propagated immediately to all the firewalls that use this rule (via > the firewall_policy association), and the rule gets applied in the > backend firewalls. This might be acceptable, however this is different > from the explicit commit semantics which most firewalls support. > Having an explicit commit operation ensures that multiple rules can be > applied atomically, as opposed to in the implicit case where each rule > is applied atomically and thus opens up the possibility of security > holes between two successive rule applications. > > So the proposal here is quite simple - > > * When any changes are made to the firewall_rules > (added/deleted/updated), no changes will happen on the firewall (only > the corresponding firewall_rule resources are modified). > > * We will support an explicit commit operation on the firewall > resource. Any changes made to the rules since the last commit will now > be applied to the firewall when this commit operation is invoked. > > * A show operation on the firewall will show a list of the currently > committed rules, and also the pending changes. > > Kindly respond if you have any comments on this. > > Thanks, > ~Sumit. > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev