← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1440309] Re: Fwaas - update/create firewall will use the associated policy no matter whether it's audited or not

 

That's better to be discussed with fwaas team first. Description doesn't
look like a valid bug report.

** Changed in: neutron
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1440309

Title:
  Fwaas - update/create firewall will use the associated policy no
  matter whether it's audited or not

Status in OpenStack Neutron (virtual network service):
  Opinion

Bug description:
  New Firewall Rules cannot be directly added to a virtual Firewall. The
  rules have to be first added to a Firewall Policy and the Firewall
  Policy has to be reapplied for the rules to take effect

  This two ­step process allows the Firewall Policy to be audited after
  the new rules are added and before the policy is reapplied to a
  Firewall

  However in implementation, create/update firewall will use the
  associated firewall policy no matter whether it's audited or not which
  makes all the design decisions meaningless

  I consider the right implementation is similar to git workflow.

  1. The audited firewall policy is the master branch and create/update firewall can only use the master branch.
  2. A modification to a firewall policy is just like a feature branch. Once set its audited attribute to True, it got merged back into master branch

  So this implies:

  1. Create a firewall policy must have audited set to True
  2. we should support version control for firewall policy, so rollback is available

  It's a lot of work to do which suggests that we rethink about the
  necessarity of audition

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1440309/+subscriptions


References