yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #31066
[Bug 1440309] Re: Fwaas - update/create firewall will use the associated policy no matter whether it's audited or not
That's better to be discussed with fwaas team first. Description doesn't
look like a valid bug report.
** Changed in: neutron
Status: New => Opinion
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1440309
Title:
Fwaas - update/create firewall will use the associated policy no
matter whether it's audited or not
Status in OpenStack Neutron (virtual network service):
Opinion
Bug description:
New Firewall Rules cannot be directly added to a virtual Firewall. The
rules have to be first added to a Firewall Policy and the Firewall
Policy has to be reapplied for the rules to take effect
This two step process allows the Firewall Policy to be audited after
the new rules are added and before the policy is reapplied to a
Firewall
However in implementation, create/update firewall will use the
associated firewall policy no matter whether it's audited or not which
makes all the design decisions meaningless
I consider the right implementation is similar to git workflow.
1. The audited firewall policy is the master branch and create/update firewall can only use the master branch.
2. A modification to a firewall policy is just like a feature branch. Once set its audited attribute to True, it got merged back into master branch
So this implies:
1. Create a firewall policy must have audited set to True
2. we should support version control for firewall policy, so rollback is available
It's a lot of work to do which suggests that we rethink about the
necessarity of audition
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1440309/+subscriptions
References