*** haixia has quit IRC | 02:10 | |
*** haixia has joined #openstack-dragonflow | 02:11 | |
*** zenoway has joined #openstack-dragonflow | 02:15 | |
*** zenoway has quit IRC | 02:19 | |
*** gongysh has joined #openstack-dragonflow | 02:34 | |
*** zenoway has joined #openstack-dragonflow | 02:51 | |
*** zenoway has quit IRC | 02:56 | |
*** irenab_ has joined #openstack-dragonflow | 03:53 | |
*** irenab has quit IRC | 03:54 | |
*** irenab_ is now known as irenab | 03:54 | |
*** gongysh has quit IRC | 04:08 | |
*** yamamoto has quit IRC | 04:31 | |
*** irenab has quit IRC | 04:52 | |
*** yamamoto has joined #openstack-dragonflow | 05:14 | |
*** zenoway has joined #openstack-dragonflow | 05:19 | |
*** zenoway has quit IRC | 05:24 | |
*** irenab has joined #openstack-dragonflow | 05:31 | |
gsagie | thingee: doing it now, i must have missed the ability to edit the topic | 05:34 |
---|---|---|
*** oanson has joined #openstack-dragonflow | 05:39 | |
*** zenoway has joined #openstack-dragonflow | 05:55 | |
*** zenoway has quit IRC | 06:00 | |
openstackgerrit | hujie proposed openstack/dragonflow: add data sync mechanism for keep db consistency https://review.openstack.org/300877 | 07:09 |
*** zenoway has joined #openstack-dragonflow | 07:16 | |
*** zenoway has quit IRC | 07:33 | |
*** zenoway has joined #openstack-dragonflow | 07:33 | |
*** gongysh has joined #openstack-dragonflow | 07:35 | |
*** zenoway has quit IRC | 07:38 | |
*** zenoway has joined #openstack-dragonflow | 07:49 | |
*** yuanwei has quit IRC | 08:02 | |
*** haixia has quit IRC | 08:04 | |
*** haixia has joined #openstack-dragonflow | 08:04 | |
*** haixia has quit IRC | 08:06 | |
*** haixia has joined #openstack-dragonflow | 08:06 | |
*** yuanwei has joined #openstack-dragonflow | 08:07 | |
openstackgerrit | yuan wei proposed openstack/dragonflow: this patch intend to solve bug #1571523, "Changing VM to new SG is not working" https://review.openstack.org/307628 | 08:13 |
openstack | bug 1571523 in DragonFlow "Changing VM to new SG is not working" [High,New] https://launchpad.net/bugs/1571523 - Assigned to yuan wei (wei-yuan) | 08:13 |
*** gongysh has quit IRC | 08:24 | |
yuli_s | yuanwei, the patch looks good | 08:27 |
yuli_s | ;) | 08:27 |
gsagie | nick-ma: ping | 08:31 |
yuli_s | hm | 08:31 |
yuli_s | yuanwei, something is not clear for me in tbale=6 | 08:34 |
yuli_s | i have 2 VMS, 2 custom SGs, each VM has 2 SGs | 08:34 |
yuli_s | in table 6: | 08:34 |
yuli_s | table=6, n_packets=7, n_bytes=518, priority=4,conj_id=2,ip actions=ct(commit,table=9,zone=NXM_NX_CT_ZONE[]) | 08:34 |
yuli_s | table=6, n_packets=5, n_bytes=370, priority=5,conj_id=3,ip actions=ct(commit,table=9,zone=NXM_NX_CT_ZONE[]) | 08:34 |
yuli_s | table=6, n_packets=0, n_bytes=0, priority=4,ip actions=conjunction(2,2/2) | 08:34 |
*** saggi has joined #openstack-dragonflow | 08:34 | |
yuli_s | table=6, n_packets=0, n_bytes=0, priority=5,ip actions=conjunction(3,2/2) | 08:35 |
yuli_s | table=6, n_packets=0, n_bytes=0, priority=4,ct_state=+new-est-rel-inv+trk,in_port=9 actions=conjunction(2,1/2) | 08:35 |
yuli_s | table=6, n_packets=0, n_bytes=0, priority=4,ct_state=+new-est-rel-inv+trk,in_port=10 actions=conjunction(2,1/2) | 08:35 |
yuli_s | \ | 08:35 |
yuli_s | table=6, n_packets=0, n_bytes=0, priority=5,ct_state=+new-est-rel-inv+trk,in_port=10 actions=conjunction(3,1/2) | 08:35 |
yuli_s | table=6, n_packets=0, n_bytes=0, priority=5,ct_state=+new-est-rel-inv+trk,in_port=9 actions=conjunction(3,1/2) | 08:35 |
yuli_s | can we use half rules here ? | 08:36 |
yuanwei | yuli_s: just saw, thanks:) | 08:37 |
yuanwei | about the question you ask, I don't understand...what are "half rules" ? do you mean flows with actions of "conjunction(XXX,1/2)" or "conjunction(XXX,2/2)" ? | 08:41 |
yuanwei | table=6, n_packets=0, n_bytes=0, priority=4,ct_state=+new-est-rel-inv+trk,in_port=9 actions=conjunction(2,1/2) | 08:44 |
yuanwei | table=6, n_packets=0, n_bytes=0, priority=5,ct_state=+new-est-rel-inv+trk,in_port=9 actions=conjunction(3,1/2) | 08:44 |
yuanwei | those flows represent one VM is associating two SGs (one is bound with conj_id 2, another is bound with conj_id 3 ) | 08:47 |
yuanwei | table=6, n_packets=0, n_bytes=0, priority=4,ct_state=+new-est-rel-inv+trk,in_port=10 actions=conjunction(2,1/2) | 08:47 |
yuanwei | table=6, n_packets=0, n_bytes=0, priority=5,ct_state=+new-est-rel-inv+trk,in_port=10 actions=conjunction(3,1/2) | 08:47 |
yuanwei | so do those flows, but another VM | 08:47 |
yuanwei | and flows with action of "conjunction(XXX, 2/2)" represent security group rules in the SG which are bound with conj_id XXX | 08:50 |
yuli_s | yes, | 08:51 |
yuli_s | i do not understand why we need 2 | 08:51 |
yuanwei | because each VM is associating with 2 SGs, and we have 2 VMs, then we get 4 associating relations in total | 08:54 |
yuli_s | hm, | 08:58 |
yuli_s | let me consult with Omer | 08:58 |
yuanwei | ok, seems I don't get the point you are asking:) | 08:59 |
nick-ma | gsagie: pong | 09:02 |
*** oanson has quit IRC | 09:10 | |
yuli_s | yuanwei, he went to eat | 09:11 |
yuli_s | let me explain myself | 09:11 |
yuli_s | when packet from vm reaches table 6 it will be marked with conj_is =3 because priority is higher | 09:12 |
yuli_s | and so, conj_id=2 tests are redandant | 09:13 |
gsagie | yuli_s: thats not correct, if one priority is not matched it will try the other | 09:14 |
gsagie | yuli_s: we have a conjunction id per security group | 09:14 |
yuanwei | gsagie: great, thanks | 09:15 |
gsagie | yuli_s: the reason why we use different priorities is because conjunction id is in the action and not as part of the match, so we wouldnt be able to insert flows otherwise (they would be the same flow) | 09:15 |
gsagie | yuanwei: hope i explained it correctly :) | 09:16 |
yuanwei | gasgie: correctly and clearly :) | 09:17 |
yuanwei | yuli_s: Hi yuli, about this bug https://bugs.launchpad.net/dragonflow/+bug/1571661, could please check VM1 if has two interfaces which have those two addresses: 10.0.0.3 192.168.100.3? | 09:53 |
openstack | Launchpad bug 1571661 in DragonFlow "Bug in VM with 2 local net - security group patch" [High,New] - Assigned to yuan wei (wei-yuan) | 09:53 |
*** haixia_liu has joined #openstack-dragonflow | 10:02 | |
*** Mic22 has quit IRC | 10:29 | |
*** Mic22 has joined #openstack-dragonflow | 10:29 | |
*** Mic22 has quit IRC | 10:38 | |
*** Mic22 has joined #openstack-dragonflow | 10:38 | |
yuli_s | yuanwei, nop | 11:10 |
yuli_s | vm has one interface of 10.0.0.3 | 11:11 |
*** gongysh has joined #openstack-dragonflow | 11:11 | |
yuli_s | yuanwei, regarding the rule optimization in table 6, lets do it later. it is not urgent ! | 11:16 |
yuli_s | imho DNAT is more important, afterwards 2 local private ips in one VM | 11:17 |
yuli_s | hm, i think i found another "undocumented feature" in table=6 | 11:19 |
yuli_s | i created egress rule - TCP ALL | 11:20 |
yuli_s | the following rules were created | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=1 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x2/0xfffe actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x4/0xfffc actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x8/0xfff8 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x10/0xfff0 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x20/0xffe0 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x40/0xffc0 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x80/0xff80 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x100/0xff00 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x200/0xfe00 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x400/0xfc00 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x800/0xf800 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x1000/0xf000 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x2000/0xe000 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x4000/0xc000 actions=conjunction(2,2/2) | 11:21 |
yuli_s | cookie=0x18, duration=9.081s, table=6, n_packets=0, n_bytes=0, priority=4,tcp,tp_dst=0x8000/0x8000 actions=conjunction(2,2/2) | 11:21 |
yuli_s | i think one rule is enough: | 11:22 |
yuli_s | table=6, n_packets=0, n_bytes=0, priority=4,tcp actions=conjunction(2,2/2) | 11:22 |
yuli_s | {"direction": "egress", "protocol": "tcp", "description": "", "port_range_max": 65535, "id": "40f02887-784b-4075-9d97-ebc7d16f0e58", "remote_group_id": null, "remote_ip_prefix": "0.0.0.0/0", "security_group_id": "768e9dca-9233-4be5-8734-ff1fd9e8217c", "tenant_id": "2531875466be46acb0bfd5db41590084", "port_range_min": 1, "ethertype": "IPv4"}], "name": "768e9dca-9233-4be5-8734-ff1fd9e8217c"} | 11:25 |
*** gongysh has quit IRC | 11:28 | |
*** yamamoto has quit IRC | 11:30 | |
todin | what does the conjunction action mean? | 11:42 |
*** hujie has quit IRC | 11:48 | |
*** hujie has joined #openstack-dragonflow | 11:49 | |
*** yamamoto has joined #openstack-dragonflow | 12:09 | |
*** oanson has joined #openstack-dragonflow | 12:19 | |
yuli_s | it is a kind of complicated rule | 12:20 |
yuli_s | it can consist of 2 or more group of rules | 12:21 |
yuli_s | for example in group A can be "tcp port = 80 or tcp port = 22" | 12:21 |
yuli_s | group be can be "srcip = x or src_ip = y" | 12:22 |
yuli_s | ops | 12:22 |
yuli_s | group B = "srcip = x or src_ip = y" | 12:22 |
yuli_s | so, if you have a at least one true value for A and one true value for B, cojunction is true, and conj_id has some value | 12:23 |
*** yamamoto has quit IRC | 12:24 | |
*** yamamoto has joined #openstack-dragonflow | 12:34 | |
*** yamamoto has quit IRC | 12:39 | |
*** yamamoto has joined #openstack-dragonflow | 12:44 | |
*** yamamoto has quit IRC | 12:45 | |
*** yamamoto has joined #openstack-dragonflow | 12:54 | |
*** yamamoto has quit IRC | 13:03 | |
*** irenab has quit IRC | 13:05 | |
*** yamamoto has joined #openstack-dragonflow | 13:05 | |
*** yamamoto has quit IRC | 13:14 | |
*** yamamoto has joined #openstack-dragonflow | 13:16 | |
*** gongysh has joined #openstack-dragonflow | 13:37 | |
*** yamamoto has quit IRC | 13:41 | |
*** yamamoto has joined #openstack-dragonflow | 13:43 | |
*** oanson has quit IRC | 14:18 | |
*** DuanKebo_ has joined #openstack-dragonflow | 14:21 | |
*** irenab has joined #openstack-dragonflow | 15:05 | |
*** zenoway has quit IRC | 15:06 | |
*** zenoway has joined #openstack-dragonflow | 15:06 | |
*** irenab has quit IRC | 15:07 | |
*** irenab has joined #openstack-dragonflow | 15:07 | |
*** zenoway has quit IRC | 15:11 | |
*** DuanKebo_ has quit IRC | 15:12 | |
*** DuanKebo_ has joined #openstack-dragonflow | 15:15 | |
*** oanson has joined #openstack-dragonflow | 15:30 | |
*** gongysh has quit IRC | 15:48 | |
*** gongysh has joined #openstack-dragonflow | 15:50 | |
*** yamamoto has quit IRC | 16:19 | |
*** gongysh has quit IRC | 16:38 | |
*** oanson has quit IRC | 16:53 | |
*** oanson has joined #openstack-dragonflow | 17:00 | |
*** yamamoto has joined #openstack-dragonflow | 17:20 | |
*** yamamoto has quit IRC | 17:28 | |
*** oanson has quit IRC | 17:31 | |
*** oanson has joined #openstack-dragonflow | 17:46 | |
*** oanson has quit IRC | 18:17 | |
*** zenoway has joined #openstack-dragonflow | 18:59 | |
*** zenoway has quit IRC | 23:06 | |
*** zenoway has joined #openstack-dragonflow | 23:07 | |
*** zenoway has quit IRC | 23:11 | |
*** DuanKebo_ has quit IRC | 23:33 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!