| *** hoangcx has joined #openstack-fwaas | 00:57 | |
| *** hoangcx has quit IRC | 01:42 | |
| *** hoangcx has joined #openstack-fwaas | 02:00 | |
| *** annp has joined #openstack-fwaas | 03:45 | |
| annp | reedip, good morning. | 03:46 |
|---|---|---|
| reedip | good morning annp | 03:46 |
| annp | reedip :) | 03:46 |
| reedip | how ar eu | 03:46 |
| reedip | how are u * ? | 03:46 |
| annp | yes, I'm good and how about you? | 03:46 |
| annp | reedip, I'm working on fwaas l2 agent patch to resolve comment from you and Inessa. | 03:48 |
| reedip | I am fine ... | 03:48 |
| reedip | ok annp ... | 03:48 |
| reedip | I am also looking into it to resolve the LIST issue | 03:48 |
| annp | reedip, and I mark something moving to default fwg patch. Could you update default fwg patch? | 03:49 |
| reedip | Yes, I can | 03:50 |
| reedip | Let me check, I think you marked 3 places | 03:50 |
| reedip | https://review.openstack.org/#/c/323971/51/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@63 | 03:50 |
| reedip | https://review.openstack.org/#/c/323971/51/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@199 | 03:50 |
| annp | reedip, I think we can introduce a new patch for applying default fwg on L2. Do you think so? | 03:50 |
| reedip | https://review.openstack.org/#/c/323971/51/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@224 | 03:50 |
| reedip | Are they correct ? | 03:50 |
| reedip | If yes, then I will move these 3 pieces of code to DFWG patch | 03:51 |
| annp | reedip, correct. | 03:51 |
| annp | reedip: how about https://review.openstack.org/#/c/323971/51/neutron_fwaas/services/firewall/agents/l2/fwaas_v2.py@308 | 03:52 |
| reedip | I dont think its related with DFWG | 03:52 |
| reedip | to be honest | 03:53 |
| reedip | But yes https://review.openstack.org/#/c/323971/51/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@448 is one more | 03:53 |
| annp | reedip: I'd like to introduce new patch set for applying default fwg. This patch will depends on L2 agent patch and fwg default patch. | 03:53 |
| annp | reedip, what do you think? | 03:54 |
| annp | https://review.openstack.org/#/c/323971/51/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@448 It can be in new "applying default fwg" patch. :) | 03:55 |
| reedip | I am not sure how it will fix ... | 03:55 |
| reedip | Let me see | 03:55 |
| annp | if we can introduce a new patch-set "applying default fwg" to handle all action related to default fwg. It would be nice. | 03:57 |
| reedip | annp : I am not sure how L2 is directly tied with Default FWG | 03:59 |
| reedip | So I am not sure if we need a separate patch to handle appliying default FWG over L2. Though the idea seems nice, but how big would it be and how useful would it , remains to be seen | 04:00 |
| annp | reedip, I think applying default fwg patch will be small. Moreover, separating patch allows L2 patch, default FWG can be merged independent. And we will not be confused "What is in default fwg patch, what should be in L2 patch" | 04:08 |
| annp | reedip, that's my idea. :) | 04:08 |
| annp | If it's reasonable, I will introduce "applying patch" or we should discuss about it in Tomorrow meeting. How do you think? | 04:09 |
| reedip | annp : I think currently default FWG is separate from the L2 implementation | 04:14 |
| reedip | annp : I mean both are pretty independent of each other. the Default FWG can exist without the L2 Agent, right ? | 04:14 |
| annp | yes, you're right. | 04:15 |
| reedip | hmm | 04:16 |
| reedip | So , lets discuss it once in tomorrow's meeting | 04:16 |
| annp | But L2's implementation is depending on some defining of default fwg. | 04:16 |
| reedip | annp because we are assuming that L2 would work with default FWG but actually its not so. The L2 agent and default FWG can work independently. | 04:17 |
| reedip | Actually whatever needs to be defined in L2 should remain in the L2 patch ONLY. And whatever is there in the FWG should remain in the FWG | 04:17 |
| reedip | mixing it causes the merge conflict issue | 04:18 |
| annp | reedip, So I'd like to remove defining and handle all impact of default fwg at new patch. | 04:18 |
| reedip | annp : Okay, lets first propose a new Default FWG patch | 04:18 |
| reedip | then we can see what is needed by L2 | 04:18 |
| annp | reedip, new applying default fwg patch. :) | 04:19 |
| reedip | and then see if we can remove the dependency of default FWG from L2 | 04:19 |
| reedip | annp : I will push a new patch of default FWG | 04:19 |
| annp | reedip, thanks. And I will introduce apply default fwg patch also. | 04:20 |
| reedip | ok | 04:20 |
| annp | reedip, Thanks for long discussion. :) | 04:21 |
| reedip | :) | 04:21 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: FWaaS v2 extension for L2 agent https://review.openstack.org/323971 | 04:26 |
| reedip | annp : enable_l2 option is not required.So I am removing it from https://review.openstack.org/#/c/323971/51/neutron_fwaas/services/firewall/fwaas_plugin_v2.py@61 | 04:28 |
| reedip | annp : Let me know the patch for applying default FWG on L2 patch | 04:50 |
| openstackgerrit | Nguyen Phuong An proposed openstack/neutron-fwaas master: Applying default firewall group https://review.openstack.org/504847 | 04:52 |
| openstackgerrit | Reedip proposed openstack/neutron-fwaas master: Introduce default firewall groups https://review.openstack.org/425769 | 04:54 |
| reedip | annp : updated ^^ | 04:54 |
| openstackgerrit | Reedip proposed openstack/neutron-fwaas master: Applying default firewall group https://review.openstack.org/504847 | 04:58 |
| reedip | annp : updated ^^ | 04:58 |
| annp | reedip, thanks for your updated. | 05:00 |
| reedip | annp : mention not, but we are missing a function in the plugins | 05:01 |
| reedip | I have mentioned it in the comments | 05:01 |
| annp | I will leave office now, Feel free please update all patch-set if you want. :) | 05:01 |
| reedip | lol :) Naah, I will focus on the default FWG for now | 05:01 |
| annp | sorry, I'm forgot. I will update it when i back to work on Wednesday. | 05:02 |
| annp | reedip, :) have a good day. | 05:02 |
| reedip | you too annp :) | 05:02 |
| *** annp has quit IRC | 05:03 | |
| openstackgerrit | Reedip proposed openstack/neutron-fwaas master: Add fullstack testing for neutron-fwaas https://review.openstack.org/394619 | 06:28 |
| openstackgerrit | Reedip proposed openstack/neutron-fwaas master: Add new protocols in Firewalls https://review.openstack.org/440331 | 06:32 |
| *** reedip has quit IRC | 09:20 | |
| *** reedip has joined #openstack-fwaas | 09:21 | |
| ivasilevskaya | reedip, hi! | 10:05 |
| ivasilevskaya | Just can't get default fwg generation out of my head. Read your last comments - I suppose default fwg was introduced for the sake of l2 ext patch: when a firewall group is deleted then its vm ports will be "reattached" to the default fwg. If that was the idea - then one default fwg should be present at all times just like in neutron | 10:05 |
| reedip | ivasilevskaya : If that is the case, then deletion of the default FWG doesnt make enough sense. | 10:07 |
| reedip | lets discuss it during the team meeting tomorrow, because it needs inputs from yushiro and SridarK as well as xgerman_ and annp | 10:08 |
| ivasilevskaya | reedip, I'm not talking about deletion of default fwg, I'm talking about deletion of any fwg that has vm ports associated to it | 10:08 |
| reedip | Yes, my point is if there can be a scenario where the fwg is deleted and the default FWG doesnt exist | 10:09 |
| ivasilevskaya | sure, we'll discuss it tomorrow :) | 10:10 |
| reedip | :) | 10:10 |
| *** amotoki has quit IRC | 10:41 | |
| *** amotoki has joined #openstack-fwaas | 10:43 | |
| -openstackstatus- NOTICE: Gerrit will be offline for the upgrade to 2.13 starting at 15:00 UTC (in roughly 3 hours) and is expected to probably be down/unusable for 8+ hours while an offline reindex is performed: http://lists.openstack.org/pipermail/openstack-dev/2017-August/120533.html | 12:05 | |
| -openstackstatus- NOTICE: Gerrit will be offline for the upgrade to 2.13 starting at 15:00 UTC (in roughly 1.5 hours) and is expected to probably be down/unusable for 8+ hours while an offline reindex is performed: http://lists.openstack.org/pipermail/openstack-dev/2017-August/120533.html | 13:36 | |
| xgerman_ | reedip, ivasilevskaya: | 14:08 |
| xgerman_ | 1) You can’t delete a FWG with ports still attached | 14:09 |
| xgerman_ | 2) You can delete all FWG to have a port without an FWG so you can switch off port security | 14:09 |
| -openstackstatus- NOTICE: Gerrit will be offline for the upgrade to 2.13 starting at 15:00 UTC (in roughly 30 minutes) and is expected to probably be down/unusable for 8+ hours while an offline reindex is performed: http://lists.openstack.org/pipermail/openstack-dev/2017-August/120533.html | 14:31 | |
| *** sterdnotshaken has joined #openstack-fwaas | 14:59 | |
| -openstackstatus- NOTICE: The Gerrit service at https://review.openstack.org/ is offline, upgrading to 2.13, for an indeterminate period of time hopefully not to exceed 23:59 UTC today: http://lists.openstack.org/pipermail/openstack-dev/2017-August/120533.html | 15:02 | |
| *** reedip_ has joined #openstack-fwaas | 15:12 | |
| *** sterdnotshaken1 has joined #openstack-fwaas | 15:18 | |
| reedip_ | o/ | 15:19 |
| *** sterdnotshaken has quit IRC | 15:21 | |
| *** reedip_ has quit IRC | 16:01 | |
| ivasilevskaya | xgerman_: but I believe it's possible to remove a firewall group\port association for some vm port - in this case the vm port will be associated with default fwg, right? | 16:33 |
| -openstackstatus- NOTICE: The Gerrit service at https://review.openstack.org/ is offline, upgrading to 2.13, for an indeterminate period of time hopefully not to exceed 23:59 UTC today: http://lists.openstack.org/pipermail/openstack-dev/2017-August/120533.html | 16:36 | |
| *** ChanServ changes topic to "The Gerrit service at https://review.openstack.org/ is offline, upgrading to 2.13, for an indeterminate period of time hopefully not to exceed 23:59 UTC today: http://lists.openstack.org/pipermail/openstack-dev/2017-August/120533.html" | 16:36 | |
| xgerman_ | ivasilevskaya nope - we are modeling the SG behavior that then no FWG is associated to allow eventually to remove port security. On SG case you CAN’T remove port security until all SGs are removed from the port. FWG needs to work the same way | 16:43 |
| ivasilevskaya | xgerman_: I may be a bit out of scope - but why are you talking about disabling port security? | 16:44 |
| xgerman_ | we need to give users the option to do so | 16:45 |
| xgerman_ | so it’s driving some of the design decisions | 16:45 |
| ivasilevskaya | xgerman_: I thought that the whole idea of these changes (default fwg, l2 agent extension, following ovs\iptables drivers) are to enable it | 16:45 |
| xgerman_ | yes, but we can’t make it so that if a user wants to disable port security on a port we break it that he can’t anymore | 16:46 |
| ivasilevskaya | xgerman_: so port security is a port-level setting, not a system-wide one? | 16:46 |
| xgerman_ | yes | 16:46 |
| ivasilevskaya | xgerman_ : just curious - how it is supposed to coexist with neutron security groups by the way? | 16:48 |
| ivasilevskaya | by this I mean fwaas l2 extension and, say, neutron ovsfw driver | 16:48 |
| xgerman_ | I think we will run first and then SG | 16:49 |
| ivasilevskaya | xgerman_: And can you share any notes/spec on the whole expected behavior? All I had was the ideas behind foggy comments and TODOs in l2 extension patch | 16:49 |
| xgerman_ | the idea is that if one of them denies it will be denied - only if both accept a packet will go through. There are changes to conntrack planned to enable that behavior | 16:50 |
| xgerman_ | yes, we are a bit foggy - our code “diverged” a bit from the spec and our goal is to add some documentation to make things clearer | 16:51 |
| ivasilevskaya | xgerman_: as long as it's fwaas pipeline and the neutron sg -> it might even work that way | 16:51 |
| ivasilevskaya | then* | 16:51 |
| ivasilevskaya | xgerman_: but is there a spec? I'd like to take a look | 16:53 |
| xgerman_ | https://github.com/openstack/neutron-specs/blob/master/specs/newton/fwaas-api-2.0.rst | 16:55 |
| ivasilevskaya | xgerman_ cool, thanks | 16:55 |
| *** lnicolas has joined #openstack-fwaas | 18:05 | |
| *** vishwanathj has joined #openstack-fwaas | 19:28 | |
| *** sterdnotshaken1 has quit IRC | 19:39 | |
| *** sterdnotshaken has joined #openstack-fwaas | 19:54 | |
| *** yamamoto has joined #openstack-fwaas | 23:36 | |
| *** sterdnotshaken1 has joined #openstack-fwaas | 23:41 | |
| *** sterdnotshaken has quit IRC | 23:41 | |
| *** ChanServ changes topic to "#openstack-fwaas" | 23:44 | |
| -openstackstatus- NOTICE: review.openstack.org Gerrit 2.13 upgrade is functionally complete. The Infra team will be cleaning up bookkeeping items over the next couple days. If you have any questions please let us know | 23:44 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!