Translation of Congress Table to Neutron Group-based Policy Tables

This specification describes how to integrate Congress Policy with Neutron Group-based Policy (GBP).

Problem description

Congress provides a mechanism to allow OpenStack clients to define policy to be applied across all OpenStack components including networking. Neutron Group-based policy provides a high level abstraction for defining network connectivity between groups of endpoints.

It is desirable to integrate Congress and GBP so that Congress can monitor and enforce GBP policies. A Congress Reachability table can be used to specify connectivity policy between endpoints. This table can be translated into a set of tables that represent GBP entities, such as Policy Target Groups, Policy Rules, Policy Classifier, etc.

Proposed change

GBP can be represented by these tables:

  • Endpoints (endpoint_id)

  • Endpoint_group (endpoint_id, endpoint_group_id)

  • Classifiers (classifier_id, port, protocol, direction)

  • Classifier_group (classifier_id, classifer_group_id)

  • Actions (action_id, action_type, action_value)

  • Action_group (action_id, action_group_id)

  • Policy_rule (policy_rule_id, classifier_group_id, action_group_id)

  • Contracts (contract_id, policy_rule_id)

  • PolicyInstance (endpoint_group_id, relation, contract_id)

A Congress Reachability policy table may be defined to form a policy between two groups of endpoints:

Reachable (id, group1, group2, src_port, dst_port)

The goal is to translate from the input Reachable policy table to the output GBP tables using the Congress policy language using functions such as:

PolicyInstance(group_id1, relation, contract_id) :-

reachable(contract_id, group_id1, group_id2, x, y), producer_relation(relation)




An example of such a policy written using Congress datalog syntax is shown below for two groups, tier 1 and tier 2, to communicate bidirectionally on port 80.

Operator Input Data (from operator or cloud management system)

Tier Membership (tier_id, vm_id)

(1, 100) (1, 101) (2, 102)

Policy Input Data


(1) (2)

Reachability policy table

Reachable (id, src, dst, src_port, dst_port)

(10, tier1, tier2, *, 80)

(11, tier2, tier1, *, 80)

Policy Actions

These tables allow Congress to monitor and enforce GBP policies.

Data Sources

Neutron Group-based Policy. Details of GBP can be found here:

Data model impact


REST API impact


Security impact


Notifications impact


Other end user impact


Performance impact


Other deployer impact


Developer impact




Primary assignee:

louis.fourie, alex.yip, cathy.zhang

Other contributors:

Work items

  • Define translation functions.

  • Implement the new constant tables and function tables to perform the translation.


  • This is dependent on the implementation of a GBP data-source driver for Congress.


Some sample input tables will be created and the translation verified by checking the contents of the output trigger tables.

Documentation impact

All translation details will be documented.