← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #31063

[Bug 1440309] [NEW] Fwaas - update/create firewall will use the associated policy no matter whether it's audited or not

  Thread PreviousDate PreviousThread Next 
Public bug reported:

New Firewall Rules cannot be directly added to a virtual Firewall. The
rules have to be first added to a Firewall Policy and the Firewall
Policy has to be reapplied for the rules to take effect

This two ­step process allows the Firewall Policy to be audited after
the new rules are added and before the policy is reapplied to a Firewall

However in implementation, create/update firewall will use the
associated firewall policy no matter whether it's audited or not which
makes all the design decisions meaningless

I consider the right implementation is similar to git workflow.

1. The audited firewall policy is the master branch and create/update firewall can only use the master branch.
2. A modification to a firewall policy is just like a feature branch. Once set its audited attribute to True, it got merged back into master branch

So this implies:

1. Create a firewall policy must have audited set to True
2. we should support version control for firewall policy, so rollback is available

It's a lot of work to do which suggests that we rethink about the
necessarity of audition

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1440309

Title:
  Fwaas - update/create firewall will use the associated policy no
  matter whether it's audited or not

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  New Firewall Rules cannot be directly added to a virtual Firewall. The
  rules have to be first added to a Firewall Policy and the Firewall
  Policy has to be reapplied for the rules to take effect

  This two ­step process allows the Firewall Policy to be audited after
  the new rules are added and before the policy is reapplied to a
  Firewall

  However in implementation, create/update firewall will use the
  associated firewall policy no matter whether it's audited or not which
  makes all the design decisions meaningless

  I consider the right implementation is similar to git workflow.

  1. The audited firewall policy is the master branch and create/update firewall can only use the master branch.
  2. A modification to a firewall policy is just like a feature branch. Once set its audited attribute to True, it got merged back into master branch

  So this implies:

  1. Create a firewall policy must have audited set to True
  2. we should support version control for firewall policy, so rollback is available

  It's a lot of work to do which suggests that we rethink about the
  necessarity of audition

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1440309/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next