| *** padkrish has quit IRC | 00:30 | |
| *** hoangcx has joined #openstack-fwaas | 00:54 | |
| *** padkrish has joined #openstack-fwaas | 01:01 | |
| *** padkrish has quit IRC | 01:04 | |
| *** padkrish has joined #openstack-fwaas | 01:05 | |
| *** padkrish has quit IRC | 01:09 | |
| yushiro | ping xgerman | 02:20 |
|---|---|---|
| xgerman | pong | 02:20 |
| yushiro | hi, I applied PS(https://review.openstack.org/#/c/404942/) and checked behavior. | 02:27 |
| yushiro | (policy.json for FWaaS v2 patch) | 02:27 |
| yushiro | We still can create 'public=True' for firewall_poilcy and firewall_rule. | 02:28 |
| yushiro | I'm investigating neutron/policy.py with pdb debugger. | 02:29 |
| yushiro | xgerman, : I'll tell you if I catch something missing piece. | 02:30 |
| xgerman | ok, let me know… this is real weird… at least I got _policy out of our policy patch | 02:31 |
| xgerman | In the tempest test I changed changing from public=false to public=true bombed | 02:31 |
| yushiro | aha, good bomb. | 02:34 |
| yushiro | I found that, in neutron policy.py, _ENFORCER.rules includes all of policy rules. | 02:36 |
| yushiro | in this rule, create_firewall_policy:public and create_firewall_rule:public are missed. | 02:37 |
| yushiro | So, I doubt for loading policy logic. | 02:38 |
| *** amotoki has quit IRC | 02:59 | |
| xgerman | ouch, | 03:02 |
| xgerman | yeah, we let everybody create a firewall in our policy | 03:03 |
| xgerman | no | 03:03 |
| xgerman | https://www.irccloud.com/pastebin/RpCpZZwy/ | 03:04 |
| xgerman | but this might not work for create… not sure when it checks for fields… | 03:04 |
| xgerman | I think you control field access and so without it being created it likely won’t work | 03:05 |
| xgerman | yushiro? | 03:05 |
| yushiro | xgerman, yes. watching your comment. | 03:05 |
| xgerman | mmh, how do they do the shared networks? | 03:06 |
| yushiro | xgerman, looks like same approach. "create_network": "", ..., "create_network:shared": "rule:admin_only", | 03:06 |
| xgerman | yeah, so our *should* work, too | 03:07 |
| yushiro | Ah!!! sorry xgerman. I just updated PS and restart neutron-servers. | 03:08 |
| xgerman | ok, let’s see if that helps | 03:08 |
| yushiro | xgerman, I forgot overwriting. neutron-fwaas.json into /etc/policy.d/neutron-fwaas.json | 03:08 |
| yushiro | I'll try it again. | 03:09 |
| xgerman | yeah, that would do it :-) | 03:09 |
| *** amotoki has joined #openstack-fwaas | 03:10 | |
| yushiro | I'll go for lunch now :) will check it again ! | 03:11 |
| xgerman | k, will likely be asleep by then… Eastern Time :-( | 03:12 |
| *** yushiro is now known as yushiro_lunch | 03:12 | |
| yushiro_lunch | good night :) | 03:12 |
| *** amotoki has quit IRC | 03:15 | |
| *** amotoki has joined #openstack-fwaas | 03:20 | |
| *** padkrish has joined #openstack-fwaas | 03:20 | |
| *** padkrish_ has joined #openstack-fwaas | 03:23 | |
| *** padkrish has quit IRC | 03:25 | |
| *** amotoki_ has joined #openstack-fwaas | 03:33 | |
| *** amotoki has quit IRC | 03:35 | |
| *** padkrish_ has quit IRC | 03:36 | |
| *** amotoki_ has quit IRC | 03:42 | |
| *** amotoki has joined #openstack-fwaas | 04:16 | |
| *** reedip has quit IRC | 04:35 | |
| *** reedip has joined #openstack-fwaas | 04:47 | |
| *** reedip has quit IRC | 05:58 | |
| *** reedip has joined #openstack-fwaas | 06:10 | |
| *** padkrish has joined #openstack-fwaas | 06:22 | |
| *** yushiro_lunch is now known as yushiro | 06:43 | |
| *** padkrish has quit IRC | 06:45 | |
| *** padkrish has joined #openstack-fwaas | 06:46 | |
| yushiro | ping njohnston , xgerman | 06:56 |
| yushiro | sorry for late time. Are you there? | 06:56 |
| reedip | yushiro : minor changes | 06:58 |
| yushiro | reedip, Hi. sorry, what is minor changes? | 06:59 |
| reedip | mentioned in your Patch Set | 06:59 |
| yushiro | OK. thanks. will check. | 06:59 |
| yushiro | wow, super quick review!! thanks. | 07:00 |
| reedip | lol , I was bored | 07:01 |
| yushiro | reedip, haha, no way :) BTW, let me check your reply. | 07:02 |
| yushiro | I thought L.105 model.shared == sql.true(). That's why I separated with 'elif hasattr(model, 'public'): | 07:03 |
| yushiro | reedip: In your logic, it is necessary to care when accessing model.shared or model.public. I'll think it again. Thank you. | 07:04 |
| *** padkrish has quit IRC | 07:44 | |
| *** yamamoto has quit IRC | 08:10 | |
| reedip | yushiro: hi | 08:35 |
| yushiro | reedip, hi | 08:35 |
| reedip | yushiro: I checked https://review.openstack.org/#/c/351582/40/neutronclient/osc/v2/fwaas/firewallrule.py Line#62 | 08:36 |
| reedip | I see that ANY is there , like ICMP, TCP, UDP etc., | 08:36 |
| reedip | yushiro : Never mind ( I thought you were making the change for https://bugs.launchpad.net/python-neutronclient/+bug/1658598 in neutron-fwaas , but now I see that you are changing it in neutronclient, so please ignore my ping :) ) | 08:37 |
| openstack | Launchpad bug 1658598 in python-neutronclient "FWaaSv2 - 'protocol' parameter is incorrect for firewall_rule" [Undecided,New] - Assigned to Yushiro FURUKAWA (y-furukawa-2) | 08:37 |
| yushiro | OK. | 08:39 |
| reedip | sorry :) | 08:39 |
| yushiro | aha. NP. | 08:40 |
| yushiro | So, a true specification is that we can specify 'tcp', 'udp', 'icmp', 'any' and protocol number directly from 0...255. | 08:40 |
| reedip | Yes | 08:41 |
| yushiro | However, in v2 SPEC(http://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html) There is no mentioned about 'protocol' deeply. | 08:43 |
| yushiro | hmm, but anyway, I believe that we can also specify protocol number. | 08:44 |
| *** yamamoto has joined #openstack-fwaas | 08:46 | |
| reedip | yes we can | 09:06 |
| *** yamamoto has quit IRC | 09:21 | |
| yushiro | OK, Thanks. | 09:28 |
| *** yamamoto has joined #openstack-fwaas | 09:40 | |
| *** amotoki has quit IRC | 09:44 | |
| yushiro | ping reedip | 10:20 |
| yushiro | reedip, I replied to your comment. Could you check it again? | 10:21 |
| yushiro | https://review.openstack.org/#/c/423947/ | 10:21 |
| reedip | yushiro : I dont mind either of the options, my point is if both the elif loops have the same logic, you can combine the conditions into a single elif loop | 10:22 |
| reedip | reduces the LOC and also doesnt complicate things much | 10:22 |
| yushiro | OK. However, in this case, even if we use single 'elif', we should validate model.shared or model.public, shouldn't we? | 10:24 |
| *** hoangcx has quit IRC | 10:27 | |
| reedip | umm, yes | 10:31 |
| yushiro | so, I think a LOC of current logic is smaller than 'single elif' one. | 10:32 |
| yushiro | Sorry reedip, your idea is better. Is it close to your idea? http://paste.openstack.org/show/596013/ | 10:37 |
| *** yamamoto has quit IRC | 11:34 | |
| *** yushiro has quit IRC | 12:02 | |
| *** amotoki has joined #openstack-fwaas | 12:15 | |
| *** amotoki has quit IRC | 12:33 | |
| *** yamamoto has joined #openstack-fwaas | 12:34 | |
| *** yamamoto has quit IRC | 13:14 | |
| *** reedip_ has joined #openstack-fwaas | 13:27 | |
| reedip_ | Hi all, this patch may be important :) https://review.openstack.org/#/c/413082/ | 14:00 |
| *** reedip_ has left #openstack-fwaas | 14:07 | |
| *** amotoki has joined #openstack-fwaas | 14:11 | |
| *** amotoki has quit IRC | 14:25 | |
| *** reedip_ has joined #openstack-fwaas | 16:01 | |
| *** amotoki has joined #openstack-fwaas | 16:06 | |
| *** reedip has quit IRC | 16:07 | |
| reedip_ | some bugs have been opened for FWaaS , need to be looked into | 16:16 |
| reedip_ | https://bugs.launchpad.net/bugs/1656735 | 16:16 |
| openstack | Launchpad bug 1656735 in neutron "Fwaas - insert_rule and remove_rule always set audited to False" [Undecided,Opinion] - Assigned to brenda (tian-mingming) | 16:16 |
| *** reedip has joined #openstack-fwaas | 16:21 | |
| *** padkrish has joined #openstack-fwaas | 16:28 | |
| *** padkrish_ has joined #openstack-fwaas | 16:33 | |
| *** padkrish has quit IRC | 16:34 | |
| *** reedip_ has quit IRC | 16:49 | |
| *** padkrish_ has quit IRC | 17:26 | |
| *** padkrish has joined #openstack-fwaas | 17:28 | |
| *** padkrish has quit IRC | 17:45 | |
| *** padkrish has joined #openstack-fwaas | 17:57 | |
| *** amotoki has quit IRC | 18:18 | |
| *** padkrish has quit IRC | 18:22 | |
| *** padkrish has joined #openstack-fwaas | 18:48 | |
| *** padkrish has quit IRC | 19:08 | |
| *** padkrish has joined #openstack-fwaas | 19:12 | |
| *** afranc has quit IRC | 19:16 | |
| *** amotoki has joined #openstack-fwaas | 19:18 | |
| *** afranc has joined #openstack-fwaas | 19:22 | |
| *** padkrish has quit IRC | 19:35 | |
| *** padkrish has joined #openstack-fwaas | 20:14 | |
| *** padkrish has quit IRC | 20:28 | |
| *** padkrish has joined #openstack-fwaas | 20:29 | |
| *** hoangcx has joined #openstack-fwaas | 21:01 | |
| *** padkrish has quit IRC | 21:10 | |
| *** yamamoto has joined #openstack-fwaas | 21:20 | |
| *** padkrish has joined #openstack-fwaas | 21:40 | |
| *** yamamoto has quit IRC | 21:43 | |
| *** padkrish has quit IRC | 21:46 | |
| *** padkrish has joined #openstack-fwaas | 22:05 | |
| *** hoangcx has quit IRC | 22:05 | |
| *** padkrish has quit IRC | 22:08 | |
| *** yamamoto has joined #openstack-fwaas | 22:23 | |
| *** padkrish has joined #openstack-fwaas | 22:36 | |
| *** padkrish has quit IRC | 22:43 | |
| *** padkrish has joined #openstack-fwaas | 22:54 | |
| *** padkrish has quit IRC | 23:14 | |
| *** yushiro has joined #openstack-fwaas | 23:47 | |
| yushiro | hi njohnston , xgerman . Thanks for your review https://review.openstack.org/#/c/423947 | 23:52 |
| yushiro | I'm sorry for posting such as patch. Currently, I'm reading your concerns about this patch and consider to solve in fwaas code. | 23:53 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!