| *** hongbin has quit IRC | 00:19 | |
| *** yamamoto has quit IRC | 00:28 | |
| *** longkb has joined #openstack-fwaas | 00:39 | |
| *** longkb has quit IRC | 01:08 | |
| *** annp has joined #openstack-fwaas | 03:08 | |
| *** velizarx has joined #openstack-fwaas | 07:52 | |
| *** velizarx has quit IRC | 08:24 | |
| *** velizarx has joined #openstack-fwaas | 08:30 | |
| doude | Hi annp, thanks for you review | 09:12 |
|---|---|---|
| doude | your* | 09:12 |
| doude | juste a question, do you know what that check is used for? https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/fwaas_plugin_v2.py#L189-L190 | 09:13 |
| doude | I don't understand that shortcut | 09:13 |
| *** longkb has joined #openstack-fwaas | 10:10 | |
| annp | hi doude | 10:19 |
| annp | doude, sorry for late response | 10:19 |
| *** longkb has quit IRC | 10:20 | |
| annp | doude, That code used to check whether port security is enabled or not. | 10:22 |
| annp | if a port is not enabled security group, then we no need to check this port is hybrid port or not. | 10:23 |
| doude | np annp | 10:23 |
| doude | why? | 10:23 |
| doude | that means if the port security disable, thefirewall driver support that port | 10:24 |
| annp | In my understanding, security rule (sg rule and fw rule) won't apply on this port | 10:25 |
| doude | I think that check should be done after we verified the port type is OVS, no? | 10:26 |
| doude | oh, you mean if port security disabled on a port, no SG or FP are applied on the port? | 10:26 |
| annp | Just a second, let's me check source code | 10:27 |
| annp | https://github.com/openstack/neutron-fwaas/blob/master/neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py#L355 | 10:29 |
| annp | Yes. I think so. | 10:29 |
| doude | IMO, port security and SG are not linked. You could disable port security (anti spoofing rules) on a port and applying SG rule | 10:29 |
| annp | From my understanding, if we disable port security, then security group rule won't apply, right? | 10:32 |
| doude | no I don't think | 10:32 |
| annp | Sorry I'm still confused, because following the code https://github.com/openstack/neutron/blob/master/neutron/agent/linux/openvswitch_firewall/firewall.py#L530, security group rule won't apply. | 10:35 |
| doude | ok so if port security disable, SG does not apply? | 10:37 |
| doude | and if port security disable, we should not apply firewall policies on port to? | 10:38 |
| annp | doube, Yes. I think so. | 10:38 |
| annp | doube, Don't you think we should sync up with SridarK, xgerman, yushiro in your patch? | 10:40 |
| doude | so why returning directly True in that case if port security disable? | 10:41 |
| doude | yes I added SridarK, xgerman and yushiro as reviewers | 10:42 |
| doude | but it's thanksgiving actually, so probably get feedback next week | 10:43 |
| annp | Because fw_l2_driver and security group driver based ovs don't matter with port security disable, So I think we can return directly here. | 10:47 |
| annp | Yeah, they're in thanksgiving. :-) | 10:47 |
| doude | yes got it annp for the OVS case, but you returned True before you validated the port is an OVS port | 10:50 |
| annp | doube, ah, I got it. Yes. It should be validated after we check ovs port or not. | 10:51 |
| annp | doube, This is my mistake. Thank you. | 10:53 |
| doude | ok | 10:53 |
| doude | I can move that check in patch to the agent driver code | 10:53 |
| doude | I found in ML2 plugin code which limits SG only if port security enabled | 10:54 |
| doude | https://github.com/openstack/neutron/blob/aefd805ccadd872f33ab1f8ebcdde37acc939da7/neutron/plugins/ml2/plugin.py#L1239-L1240 | 10:54 |
| doude | I don't understand why ML2 have that limitation | 10:54 |
| doude | it seems more a limitation due to the OVS implementation than usage limitation | 10:55 |
| annp | doube, hm, I don't understand too. | 11:01 |
| annp | doude, I think you can reach out Jakub to ask about that :-) | 11:02 |
| doude | ok | 11:07 |
| annp | doude, btw, if you're interested in https://review.openstack.org/#/c/600870/. Please help us to review it :-) | 11:07 |
| doude | that's not a issue for me, in Contrail we don't have that limitation :) | 11:08 |
| doude | so do you want I propose a new patch set to fix that port security check? | 11:08 |
| doude | ok I'll try to review that | 11:08 |
| annp | doude: Yessss. It would be great. | 11:09 |
| annp | doude, I'm looking forward new your patch. | 11:09 |
| annp | doude, Are you in USA? | 11:10 |
| doude | ok thanks annp. No I'm leaving in France (UTC+1) | 11:12 |
| doude | and you? | 11:12 |
| annp | I'm living in Vietnam (GMT+7). | 11:13 |
| annp | Do the French people celebrate thanksgiving? | 11:14 |
| doude | no we don't | 11:17 |
| annp | me too. Anyway, Happy thanksgiving! | 11:19 |
| annp | I will leave office now. | 11:19 |
| doude | but the commercial business of big companies push in Europe to establish the black Friday | 11:19 |
| doude | business :) | 11:19 |
| doude | yes have good evening and happy thanksgiving | 11:20 |
| openstackgerrit | Édouard Thuleau proposed openstack/neutron-fwaas master: Move port validation support into the driver https://review.openstack.org/619286 | 11:20 |
| annp | ah, yeah. I've just bought a book from Julien Danjou :p | 11:21 |
| doude | I just pushed a new patch set for port security stuff | 11:21 |
| doude | yes good reading, which one? scaling ? | 11:21 |
| doude | I've both | 11:21 |
| doude | I know him, very nce guy | 11:21 |
| doude | nice* | 11:21 |
| annp | I bough scaling book. | 11:21 |
| annp | :-) | 11:22 |
| doude | good choice | 11:22 |
| annp | Yeah! :-) See you and have a great day ahead. | 11:25 |
| *** annp has quit IRC | 11:26 | |
| *** velizarx has quit IRC | 12:23 | |
| *** velizarx has joined #openstack-fwaas | 12:54 | |
| *** hongbin has joined #openstack-fwaas | 15:01 | |
| *** velizarx has quit IRC | 16:17 | |
| *** hongbin has quit IRC | 17:49 | |
| *** hongbin has joined #openstack-fwaas | 17:49 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!