Firewall as a service API- separation of rule definitions and rule order [closed]

asked 2014-05-01 18:21:03 -0500

coder gravatar image

updated 2014-05-01 18:40:52 -0500

In FWaas API the rule definitions are separated from the rule ordering which is specified at the time of policy creation. This is different from how many of the vendors (palo alto, juniper, fortinet) have implemented the rule creation and ordering together.

Is it the responsibility of the plugin to convert this in a manner that is suitable for those vendors considering asking the vendors to change their implementation may not be practical?

One alternate method - which may limit reuse somewhat is adding the policy name and the order (which could be done by referring to a the immediate predecessor in the hierarchy). i.e. if a policy consists of rule r1, r2 and r2, then during rule creation we can specify r1 - policy - p1, predecessor "none" r2 - policy - p1, predecessor "r1" r3 - policy - p1 predecessor "r2".

With such a model it is not required to list the whole rule set order whenever a new rule is added to the policy, which may be useful if the number of rules are large. For e.g. if r21 is added r2, one rule add with r21 - policy p1 - predecessor r2 will indicate the desired ordering.

edit retag flag offensive reopen merge delete

Closed for the following reason too subjective and argumentative by smaffulli
close date 2014-05-02 15:39:30.012232

Comments

It's better to discuss this sort of ideas on the openstack-dev mailing list, not here.

smaffulli gravatar imagesmaffulli ( 2014-05-02 15:39:19 -0500 )edit