Tuesday, 2017-01-24

« Monday, 2017-01-23 Index Wednesday, 2017-01-25 »
xgermanThanks. No worries...00:36
yushiroHowever, FWaaS DB inherits common_db_mixin in neutron now.  Is this module also migrated into neutron-lib?00:42
*** hoangcx has joined #openstack-fwaas00:47
njohnstonI do not believe that this module has migrated, no01:16
yushironjohnston, OK.  now, I created new PS into neutron-fwaas.01:17
yushiroAs you said, I could create the patch in neutron-fwaas.01:18
yushiroAs soon as I finished writing UTs, I'll upload.  I hope you can take a look.01:18
*** lnicolas1 has quit IRC02:09
reedipWhen is the next meeting , today ???02:27
reedipWeekly meeting02:27
hoangcxreedip: Weekly on Tuesday at 1400 UTC02:30
reediphoangcx  : so today, right. Thanks :)02:36
hoangcxreedip: Yes.02:37
*** yushiro has quit IRC03:29
*** reedip has quit IRC03:34
*** reedip has joined #openstack-fwaas03:46
*** yushiro has joined #openstack-fwaas05:25
*** padkrish has joined #openstack-fwaas06:25
*** yamamoto has quit IRC07:33
*** padkrish has quit IRC07:36
*** amotoki has quit IRC08:24
reediphi yushiro08:26
yushirohi08:26
reediphave we considered Rate Limiting with Firewalls?08:26
yushiroreedip, in V1?08:26
reedipin V208:27
yushiroI haevn't tested yet.08:29
reedipdo we have it ?08:30
reedipI mean do we have rate limiting on Ingress and Egress for Firewalls ?08:30
yushiroAh, rate limit is not for REST API but a kind of filter for firewall_rule ?08:31
yushirofirewall_group includes ports and firewall_policies(ingress, egress).08:32
*** amotoki has joined #openstack-fwaas08:33
reedipyushiro : yup08:35
*** yamamoto has joined #openstack-fwaas08:35
reedipideally qos should work well with it, but was just thinking if that is possible?08:35
yushiroI think qos is running on OVS, and current firewall_rule doesn't control rate limit.  Therefore, I think fwaas doesn't interfere qos.08:43
yushiroBut I'm not expert of qos :(  I'm sorry if I was wrong.08:44
yushiroreedip, Sorry.  I have to go dental clinic.  Let's discuss later after fwaas IRC meeting.08:46
reedipyushiro : no worries. I may not be able to catch up the meeting today though, but will come back on later to discuss the items on this channel08:47
yushirosure08:47
*** amotoki has quit IRC08:53
*** mickeys has quit IRC09:01
*** yushiro has quit IRC09:05
*** Brenda has joined #openstack-fwaas09:06
Brendahttps://bugs.launchpad.net/openstack-api-site/+bug/165673509:07
openstackLaunchpad bug 1656735 in neutron "Fwaas - insert_rule and remove_rule always set audited to False" [Undecided,Opinion] - Assigned to brenda (tian-mingming)09:07
BrendaThere are some different opinions about this bug. Can we have a discussion about it?09:08
reedipBrenda : we have a meeting today at UTC 140009:09
reedipwhere all ( or most ) FWaaS folks would be present09:09
BrendaOk09:10
BrendaI am in China.09:10
BrendaSo it's at 10:00 PM09:10
reedipits 8: 30 pm for me in India :)09:10
reedipanyways, If I attend , I will try to put this query up09:11
BrendaGreat. Then you can go to bed earlier:)09:11
BrendaOK, Thank you very much.09:13
*** yamamoto has quit IRC09:29
*** amotoki has joined #openstack-fwaas09:57
*** mickeys has joined #openstack-fwaas10:02
*** mickeys has quit IRC10:06
*** hoangcx has quit IRC10:06
*** yamamoto has joined #openstack-fwaas10:20
*** yamamoto has quit IRC10:21
*** amotoki has quit IRC11:07
*** amotoki has joined #openstack-fwaas11:30
*** yamamoto has joined #openstack-fwaas12:20
*** yamamoto has quit IRC13:04
*** AlexeyAbashkin has joined #openstack-fwaas13:16
*** yamamoto has joined #openstack-fwaas13:25
*** yamamoto has quit IRC13:25
*** hoangcx has joined #openstack-fwaas13:39
*** yushiro has joined #openstack-fwaas13:57
*** chandanc_ has joined #openstack-fwaas14:00
*** reedip has quit IRC14:06
*** brenda_ has joined #openstack-fwaas14:07
brenda_Has the meeting started?14:09
njohnstonyes, on #openstack-meeting-414:09
*** brenda_ has left #openstack-fwaas14:12
*** reedip has joined #openstack-fwaas14:20
*** amotoki has quit IRC14:29
*** amotoki has joined #openstack-fwaas14:35
*** amotoki has quit IRC14:57
*** brenda_ has joined #openstack-fwaas15:00
yushiroI'm home.15:00
*** SridarK has joined #openstack-fwaas15:01
SridarKyushiro: hi15:01
yushiroSridarK, hi15:01
xgermanhi15:01
brenda_hi15:01
SridarKyushiro: on #link https://review.openstack.org/#/c/423229/15:02
SridarKi wanted to clarify None vs ANY15:02
yushiroSridarK, yes.15:02
SridarKI think it is fine - just wanted some clarifications15:02
SridarK1) If nothing is specified - we default to TCP15:03
SridarKyushiro: that is correct ?15:04
yushirohmm, currently it's not.  in OSC plugin, if nothing is specified for 'protocol',  set None(equal to 'any')15:06
*** hoangcx has quit IRC15:06
*** chandanc_ has quit IRC15:06
yushiroThis behavior is same as v1 I think.15:06
SridarKbut we want the default to be TCP ?15:06
*** brenda_ has quit IRC15:06
yushiroSridarK, Yes15:07
SridarKok15:08
*** brenda_ has joined #openstack-fwaas15:08
yushiroSridarK, sorry.  I was confused about 'default' behavior between server side and client side.15:09
SridarKyushiro: no worries15:09
SridarKu mentioned the fix on the Client too15:09
yushiroYes.  However, python-neutronclient is hard to be merged from now you know.  This is my TODO.  Is it OK?15:11
*** brenda_ has quit IRC15:11
SridarKyushiro: ok that is fine, i wanted to see what would the best model that has no confusion15:11
SridarKIf the protocol is set to ANY15:12
SridarKthen providing port numbers is a bit questionable on the rul15:12
SridarK*rule15:12
yushiroOk15:13
SridarKit will be relevant for TCP or UDP15:13
SridarKbut for other things carried in an IP packet will not make sense15:13
yushiroSridarK, I see.  BTW, 'protocol' can specify 8 bit integer value, right?15:13
SridarKwe could have a rule that could say "I want to filter all packets going to destination 20.20.20.23 and i dont really care what protocol"15:14
SridarKit could be TCP or UDP or something else15:15
SridarKbut if we add dest L4 port - now that is a bit confusing15:15
SridarKyes the protocol can specify a 8 bit integer value15:15
SridarKso i am wondering about our valdation logic15:16
yushiroSridarK, Yes. and I found bugs...15:16
SridarKor maybe we just map to what iptables supports15:16
yushirocurl -X POST -d '{"firewall_rule":{"name":"test", "protocol": "10", "action": "deny"}}'  : Invalid input for protocol. Reason: 10 is not in valid_values.15:17
yushirocurl -X POST -d '{"firewall_rule":{"name":"test", "protocol": 10, "action": "deny"}}' : Request Failed: internal server error while processing your request.15:17
yushiroAttributeError: 'int' object has no attribute 'isdigit' at neutron_fwaas/extensions/firewall.py +17915:18
SridarKwhat if u set it to 6 (TCP)15:18
yushiroOK. Just a moment.15:18
SridarKit will probab also fail like this15:18
SridarKmaybe we need to clean up more15:19
yushiroSridarK, Yes. same error occurred.15:19
SridarKso really if we said protocol = 6, then L4 ports should be valid15:19
yushiroI see.15:20
SridarKbut i think we have a basic issue here in our validator15:20
SridarKit seems we cannot specify an 8 bit integer value for protocol15:20
yushiroyes.  I'll file a bug-report.15:21
yushiroonly 'tcp', 'udp', 'icmp' or 'any'15:21
SridarKor we can just state that we only support ICMP, TCP or UDP now15:21
SridarKIf nothing is specified it will default to TCP15:21
*** amotoki has joined #openstack-fwaas15:22
yushiroI think it is better and easy to understand for CLI users.15:22
SridarKok some more thinking is needed too15:22
SridarKlet me also look at the code15:22
yushiroYes.15:22
SridarKalso we can check on iptables15:23
yushiroYes also.15:23
SridarKi agree that this is confusing15:23
SridarKit is very late for u15:24
SridarKwe can discuss on email or i will ping u during ur morning15:24
*** brenda_ has joined #openstack-fwaas15:24
yushiroOK.  Thank you for your kindness :)15:24
SridarKoh pls no worries15:24
SridarKwe can also discuss more on the L2Agent with padkrish15:24
SridarKtomorrow morning ur time15:25
SridarKyushiro: anything else to discuss ?15:25
yushiroSridarK, nothing.  Maybe tomorrow, I'll ask you about default fwg.15:26
*** amotoki has quit IRC15:26
SridarKyushiro: ok then15:26
SridarKGood Night15:26
yushiroSee you.15:26
*** yushiro has quit IRC15:26
*** amotoki has joined #openstack-fwaas15:26
*** amotoki has quit IRC15:27
*** brenda_ has quit IRC15:27
*** amotoki has joined #openstack-fwaas15:27
*** brenda_ has joined #openstack-fwaas15:28
brenda_Can we have a discussion about https://review.openstack.org/#/c/423161/15:29
brenda_There are different opions about if we should set ‘audited’ to False automatically after insert rule or remove rule from a firewall policy.15:33
*** brenda_ has quit IRC15:35
*** brenda_ has joined #openstack-fwaas15:36
*** brenda_ has left #openstack-fwaas15:39
*** amotoki has quit IRC15:41
*** amotoki has joined #openstack-fwaas15:57
*** reedip has quit IRC16:02
*** reedip has joined #openstack-fwaas16:16
*** reedip_ has joined #openstack-fwaas16:40
reedip_hi16:41
reedip_sorry was out so couldnt attend the meeting today16:41
reedip_hi SridarK17:17
SridarKreedip_: Hi17:18
reedip_SridarK : I was checking https://review.openstack.org/#/c/424534/117:18
reedip_It is related to demonstrating public resources to other projects17:19
SridarKwe were going to discuss this but it was late for Yushiro17:19
SridarKi am quite confused on this too17:19
SridarKperhaps ur morning time tomorrow we can continue this discussion17:20
reedip_SridarK : I get his intention, public firewalls must be visible to other tenants17:20
reedip_SridarK : I will be in office early tomorrow probably, so yes17:20
SridarKyes that is correct seems we have some issues with public and shared17:20
reedip_my only objection is the overwritten function17:20
SridarKreedip_: ok lets do that then - i think we need to understand this more17:20
SridarKreedip_: ok - i will be heading in to work now so will go offline17:21
reedip_SridarK : ok, sure. Even if I am not there, you can continue and I will discuss with him as we have similar work time ( he is JST )17:21
reedip_have a good day SridarK :)17:21
SridarKreedip_: yes absolutely17:21
SridarKreedip_: thx and Good evening/Night17:21
reedip_its 11 PM , so night would be a good call :)17:24
*** amotoki has quit IRC17:38
*** mickeys has joined #openstack-fwaas17:38
*** reedip_ has quit IRC17:59
*** amotoki has joined #openstack-fwaas18:04
*** amotoki has quit IRC18:06
*** SridarK has quit IRC18:24
*** SridarK_ has joined #openstack-fwaas19:21
*** SridarK_ has quit IRC20:47
*** yamamoto has joined #openstack-fwaas21:08
*** yamamoto has quit IRC21:12
*** amotoki has joined #openstack-fwaas22:02
*** yamamoto has joined #openstack-fwaas22:17
*** amotoki has quit IRC23:15
*** amotoki has joined #openstack-fwaas23:22
*** amotoki has quit IRC23:42
« Monday, 2017-01-23 Index Wednesday, 2017-01-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!