Monday, 2017-11-06

« Sunday, 2017-11-05 Index Tuesday, 2017-11-07 »
*** yushiro-mobile has joined #openstack-fwaas00:05
*** yushiro-mobile has quit IRC00:06
*** yushiro-mobile has joined #openstack-fwaas00:06
*** yushiro-mobile has quit IRC00:31
*** hoangcx has joined #openstack-fwaas00:50
*** yushiro-mobile has joined #openstack-fwaas01:32
yushiro-mobileI'm finding Sridar now...01:33
*** yamamoto has joined #openstack-fwaas03:03
reedipyushiro-mobile +1 :)03:25
yushiro-mobilereedip: do u know where he is? :-)03:26
reedipI dont know, I am in India :D03:26
yushiro-mobilereedip: Haha.  Thanks.03:27
*** yushiro2-mobile has joined #openstack-fwaas03:32
*** yushiro-mobile has quit IRC03:32
*** annp has joined #openstack-fwaas03:46
*** yushiro2-mobile has quit IRC03:46
*** lnicolas has quit IRC06:02
*** yamamoto_ has joined #openstack-fwaas06:09
*** bbbzhao has joined #openstack-fwaas06:14
*** yamamoto has quit IRC06:14
*** bbzhao has quit IRC06:14
*** yushiro-mobile has joined #openstack-fwaas06:30
*** openstackgerrit has quit IRC06:31
*** eN_Guruprasad_Rn has joined #openstack-fwaas06:54
*** openstackgerrit has joined #openstack-fwaas07:11
openstackgerritXieYingYun proposed openstack/neutron-fwaas master: Optimize the link address  https://review.openstack.org/51788108:07
*** AlexeyAbashkin has joined #openstack-fwaas08:33
reediphappy birthday yushiro-mobile :)08:42
*** eN_Guruprasad_Rn has quit IRC08:43
*** eN_Guruprasad_Rn has joined #openstack-fwaas08:43
*** yushiro2-mobile has joined #openstack-fwaas08:47
*** yushiro-mobile has quit IRC08:47
yushiro2-mobilereedip, thanks a lot !!!!!!!08:47
reedip:)08:48
*** AlexeyAbashkin has quit IRC08:51
*** AlexeyAbashkin has joined #openstack-fwaas08:51
*** yushiro2-mobile has quit IRC08:56
*** yamamoto_ has quit IRC09:06
*** openstackgerrit has quit IRC09:18
*** openstackgerrit has joined #openstack-fwaas09:22
openstackgerritReedip proposed openstack/neutron-fwaas master: Fix validation with 'protocol' for firewall_rule  https://review.openstack.org/42322909:22
*** hoangcx has quit IRC09:32
*** hoangcx has joined #openstack-fwaas09:32
*** AlexeyAbashkin has quit IRC10:00
*** AlexeyAbashkin has joined #openstack-fwaas10:02
*** yamamoto has joined #openstack-fwaas10:06
*** AlexeyAbashkin has quit IRC10:06
*** yamamoto has quit IRC10:15
*** yamamoto has joined #openstack-fwaas10:21
*** yamamoto has quit IRC10:29
*** yamamoto has joined #openstack-fwaas10:40
*** yamamoto has quit IRC11:00
*** AlexeyAbashkin has joined #openstack-fwaas11:06
*** annp has quit IRC11:18
*** yamamoto has joined #openstack-fwaas11:19
openstackgerritMurali Annamneni proposed openstack/neutron-fwaas master: Enable MySQL Cluster Support for neutron-fwaas  https://review.openstack.org/51339211:20
*** AlexeyAbashkin has quit IRC11:52
*** AlexeyAbashkin has joined #openstack-fwaas11:55
*** AlexeyAbashkin has quit IRC12:00
*** AlexeyAbashkin has joined #openstack-fwaas12:13
*** yamamoto has quit IRC12:17
*** reedip has quit IRC12:20
*** AlexeyAbashkin has quit IRC12:34
*** yamamoto has joined #openstack-fwaas13:18
*** yamamoto has quit IRC13:27
*** eN_Guruprasad_Rn has quit IRC13:32
*** annp has joined #openstack-fwaas13:47
*** chandanc has joined #openstack-fwaas13:58
annphi chandanc, xgerman_14:00
chandancHello annp14:00
annpthank you for your time.14:00
chandancsure, sorry i am not able to join more often14:01
chandanclets start14:01
annpchandanc, ok. let get started.14:01
annphave you check my patch?14:02
annphttps://review.openstack.org/#/c/515368/314:02
chandancya, i looked at the patch14:02
*** AlexeyAbashkin has joined #openstack-fwaas14:02
chandancso you are diverting traffic based on the eg_enabled flag per port14:02
annpyes, it is14:03
chandancok, good idea14:03
annpmy idead, send accept packets from fwg to sg14:03
annphowever, i have a problem with conntrack14:04
chandancya got it.14:04
chandancok, i have not tried the patch and the mail was not very clear on the conntrack part14:04
annpyeah.14:05
annplet me show you my idea14:05
chandancok14:06
xgerman_o/14:06
chandanchello xgerman_14:06
annphi xgerman_14:06
xgerman_hi14:06
annplet my explain my idea first,14:06
chandancok14:06
xgerman_k14:07
annpMy idea, accept packet from fwg to sg, and commit the connection to conntracker module will be done by sg14:08
chandancok14:09
xgerman_ok14:09
annpso you can see in fwg no action=(ct(commit), ...) except invalid packets14:09
chandancbut in case sg is disabled you will handle the conntrack ?14:09
xgerman_+114:09
annpchandanc, in case sg is disabled: fwg will be process as sg14:10
xgerman_ok14:11
chandanc1 sec14:11
annpthat's reason, i need option port_security_enabled14:11
chandanclooking at your patch14:11
xgerman_if we block a port which was previously open we also need to pull the conntrack14:11
chandancok, got it14:12
xgerman_the original design was to do contrack in both SG and FWG and and if the entry was there ignore the request14:12
xgerman_aka the conntrack piece was a singleton…14:13
xgerman_then nothing needs to change if we run standalone, etc.14:13
chandancxgerman_: i think that was a coincedence due to copying of code :) but yes with the same outcome as you mentioned14:14
annpxgerman_, Do you mean that, we should make conntrack is a singleton class?14:14
xgerman_yes14:14
xgerman_the same state is shared between SG and FWG14:14
annpfrom my understanding, conntracker is a module of ovs14:15
xgerman_yeah, our thinking was for the iptables workd14:15
annpxgerman_, yeah!14:15
xgerman_where we would manage the conntrack on the linux on the host14:15
*** AlexeyAbashkin has quit IRC14:16
chandancwe have only one conntrack state for the host, maintained in the kernel, it can be accessed through ovs,cli, netlink , this is my understanding14:17
annpchandanc, yes! you're right14:18
xgerman_ok, great14:18
xgerman_now I thought the neutron conntrack module had internal data structures we needed to share between FWH and SG — but it has been >1 year snce I looked at that14:19
chandancso, can you explain the issue you faced with the current patch and conntrack14:19
chandancxgerman_: the conntrack class still needs to be singleton14:19
annpthe problem: why conntrack state has been change from +new-est to +est-rep+rpl for first packet14:20
chandancelse different parts of the agent can become out of sync14:20
xgerman_+114:20
chandancsorry but annp can you please explain the +est-rep+rpl14:21
chandancwhat is rpl14:21
chandancrep is reply right ?14:21
annprep: reply14:24
chandancannp: can you paste the flow you mentioned in the mail, here.14:24
chandancit came a bit jumbled14:25
chandanc VMBàTRANSIENT_TABLEàEGRESS_BASE_TABLEàACCEPT_OR_INGRESS_TABLEàgo to switchàTRANSIENT_TABLEàFW_EGRESS_BASE_TABLEàFW_EGRESS_RULE14:25
chandanc               àFW_ACCEPT_OR_INGRESS_TABLEàFW_BASE_INGRESS_TABLEàFW_INGRESS_RULE14:25
annpchandanc, sorry, i don't have it here14:25
chandancok14:25
annpchandanc, i'm in home now14:25
annptomorrow, i will share it with you14:25
chandancsure, may be put in paste/etherpad14:25
xgerman_https://www.irccloud.com/pastebin/Tzjnny4H/14:26
xgerman_^^ it arrived unscrambled for me14:26
xgerman_oh, now it’s scrambled14:26
xgerman_https://usercontent.irccloud-cdn.com/file/tCMbny1u/Screen%20Shot%202017-11-06%20at%206.28.23%20AM.png14:27
chandancmay be locale14:27
xgerman_ok, I uploaded a screenshot :-)14:27
chandancthanks :)14:27
chandancwhat the “go to switch” mean ? Physical switch ?14:28
annprpl - Packet is in reply direction14:28
annp rel - Related - ICMP, eg “dst_unreach” response / helper “related” connection14:28
chandancoh ok14:29
annpgo to switch mean br-int14:29
chandanci though the rules are on br-int14:30
chandancright ?14:30
annpthe problem: conntrack state change from +new-est to +est-rel+rpl so 1st packet come to fwg will be matched with flow at https://review.openstack.org/#/c/515368/3/neutron_fwaas/services/firewall/drivers/linux/l2/openvswitch_firewall/firewall.py@67914:31
annpyes.14:31
annpIn case vm1 and vm2 is same host14:31
annpIn my case vm1 and vm2 is same host14:32
chandancso the logs that you captured are from running the latest code in your patch ?14:33
annpchandanc, yes!14:33
openstackgerritboden proposed openstack/neutron-fwaas master: DNM: testing 516456  https://review.openstack.org/51799814:34
chandancone more question. Did you stop the ping and start the ping again ? or did you keep running the ping and changed the rule14:35
annpchandanc, i did both14:35
chandancoh, first one should fail ping14:36
annpboth will be failed14:36
chandancyes if you remove the conntrack correctly the 2nd also should fail14:36
xgerman_+114:37
annpbecause, if conntrack state will be set to ct_mark_invalid14:37
chandancok14:37
chandancdoes it work correctly with SG only ?14:38
annpyes, It works perfect14:38
annphttps://review.openstack.org/#/c/515368/3/neutron_fwaas/services/firewall/drivers/linux/l2/openvswitch_firewall/firewall.py@70814:39
chandancthen as per the patch if we enable both SG and FWG and SG manages the conntrack it should work14:39
annpchandanc, yes. that's reason. I don't understanding why conntrack state has been change for 1st packet in MY CASE14:40
chandancthe new scenario is only introduced if we have SG disabled and FWG is managing conntrack14:40
chandancyes annp14:40
annpif we have SG disable, fwg will be works same as sg14:41
chandanchmm14:42
chandanci guess we will need to do some live debugging14:42
xgerman_mmh, so SG allows packet and we drop it14:42
annphowever, if we enable SG or operator forgot to disable, there is problem!14:42
chandancsorry annp , did not catch your last comment14:44
xgerman_well, if SG is disabled we work great — but that’s not our ultimate goal…14:44
annpxgerman_, right14:44
chandancoh ok ok14:45
annpchandanc, It's my concern!14:45
annpchandanc, there is difficult for me to explain the problem, if you have chance please try to test my case14:46
chandanci will, but will need some time.14:47
annpchandanc, yeah! it will be take time.14:48
chandancis this upto date https://etherpad.openstack.org/p/fwaas-v2-l214:48
annpchandanc, yes14:49
chandancxgerman_: is the l2 agent merged already ?14:49
xgerman_don’t think so14:49
chandancoh ok14:49
xgerman_I merged defaukt FWG last week14:49
chandancok14:50
*** AlexeyAbashkin has joined #openstack-fwaas14:51
chandancok, i will bring up a setup and try to figure out. But it will take some time for me (due to other issue at the office)14:51
chandancwill keep you posted14:52
chandancannp: do you want me to try anything specific, or just ping test ?14:52
annpchandanc, i think just ping test is enough14:53
chandancok will try14:53
annptomorrow, it will update etherpad with ovs flows, so we can see ovs flows for more clear problem14:54
chandancok14:54
chandancdo we have a meeting this week ?14:55
annpxgerman_, chandanc, sorry for today. I haven't provide enough information.14:55
xgerman_no worries — we got some important clarifucations14:55
chandancno, problem. I wanted to understand the problem14:55
annpIIRC, this week won't have a meeting14:55
chandancok14:56
chandancok, then let me get back with test results14:57
chandancannp if you figureout something let me know14:57
annpyeah! thanks in advance.14:57
chandancsure, welcome14:57
annpSure! i will share with you.14:57
annpxgerman, chandanc, thanks for discussion today14:58
chandancthanks14:58
annpI need more time to make the problem more clear14:58
xgerman_thanks14:58
annpSo I will let you know, after i make it clear on etherpad14:59
chandancsure send a reply to the mail thread14:59
chandancok, bye for now14:59
annpchandanc, sure, see you!14:59
annpxgerman_, have you go to office?14:59
xgerman_no, I work from home :-)15:00
annpxgerman_, oh really!15:00
annpxgerman_, have a great day ahead15:01
annpxgerman_ i will off now! see you15:01
xgerman_yes, see you15:01
*** annp has quit IRC15:01
*** chandanc has left #openstack-fwaas15:07
*** AlexeyAbashkin has quit IRC15:15
*** jdavis has joined #openstack-fwaas20:12
*** jdavis has quit IRC20:13
*** jdavis has joined #openstack-fwaas20:49
*** AlexeyAbashkin has joined #openstack-fwaas21:00
*** AlexeyAbashkin has quit IRC21:04
*** jdavis has quit IRC21:18
« Sunday, 2017-11-05 Index Tuesday, 2017-11-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!