| *** lnicolas has quit IRC | 01:52 | |
| *** threestrands has joined #openstack-fwaas | 01:55 | |
| *** lnicolas has joined #openstack-fwaas | 02:00 | |
| *** bbzhao has quit IRC | 03:24 | |
| *** threestrands has quit IRC | 07:25 | |
| *** annp has joined #openstack-fwaas | 07:26 | |
| *** openstackgerrit has joined #openstack-fwaas | 08:58 | |
| openstackgerrit | Cao Xuan Hoang proposed openstack/neutron-fwaas master: WIP [log]: Add rpc stuff for logging https://review.openstack.org/530715 | 08:58 |
|---|---|---|
| *** annp has quit IRC | 10:12 | |
| -openstackstatus- NOTICE: zuul seems to have gotten stuck and will probably need a restart, please be patient | 11:27 | |
| *** openstackstatus has quit IRC | 11:28 | |
| *** openstack has quit IRC | 11:28 | |
| *** openstack has joined #openstack-fwaas | 13:08 | |
| *** ChanServ sets mode: +o openstack | 13:08 | |
| *** openstackstatus has joined #openstack-fwaas | 13:09 | |
| *** ChanServ sets mode: +v openstackstatus | 13:09 | |
| *** cleong has joined #openstack-fwaas | 13:35 | |
| *** annp has joined #openstack-fwaas | 13:51 | |
| xgerman_ | o/ | 13:58 |
| annp | hi xgerman | 13:59 |
| annp | hi all | 13:59 |
| annp | happy new year :) | 13:59 |
| xgerman_ | happy new year | 13:59 |
| xgerman_ | #startmeeting fwaas | 14:00 |
| xgerman_ | mmh, is the bot sick? | 14:00 |
| *** SarathMekala has joined #openstack-fwaas | 14:00 | |
| annp | maybe :) | 14:01 |
| xgerman_ | #startmeeting fwaas | 14:01 |
| xgerman_ | #topic Announcements | 14:01 |
| xgerman_ | :-( | 14:01 |
| xgerman_ | well, I guess we need to go without bot today | 14:03 |
| annp | yes i think so | 14:03 |
| xgerman_ | also just got note that both yushiro and sridark won’t be here :-( | 14:03 |
| xgerman_ | so Q-3 is 1/22 | 14:04 |
| xgerman_ | #link https://releases.openstack.org/queens/schedule.html | 14:04 |
| xgerman_ | #topic FWG and SG | 14:05 |
| xgerman_ | if two ports are in the same SG the rules won’t apply, e.g. if you are blocking ping the two hosts can still ping each other | 14:06 |
| xgerman_ | in FWG we apply the rules irregardless, e.g. we would bock the ping to the two ports | 14:06 |
| xgerman_ | I am not sure if we should adapt SG behavior, keep ours, or do something completely different | 14:07 |
| xgerman_ | thoughts? | 14:07 |
| annp | xgerman, I am not sure | 14:08 |
| annp | actually, i havent think about that | 14:09 |
| SarathMekala | xgerman_, any idea what the reasoning behind SG behaviour is? | 14:09 |
| *** yushiro has joined #openstack-fwaas | 14:10 | |
| xgerman_ | I can only speculate but maybe they tried to implement zones | 14:10 |
| yushiro | Hi, sorry for late!! | 14:10 |
| xgerman_ | no worries - meetbot is not working today | 14:10 |
| xgerman_ | we were just talking about: | 14:11 |
| yushiro | xgerman_, Aha, OK. I saw ur e-mail. Thanks. | 14:11 |
| xgerman_ | https://www.irccloud.com/pastebin/U9cW9o1H/ | 14:11 |
| annp | xgerman, do you mean we need to consider source group id and dst group id in the firewall rule, right? | 14:11 |
| SarathMekala | hmm.. but even if two hosts belong to a zone there can be a rule to block traffic between them.. it works this way on Juniper FW devices | 14:11 |
| SarathMekala | not sure about the industry behaviour | 14:11 |
| xgerman_ | annp: in our spec that morte or less makes it easier to manage group of ports | 14:12 |
| xgerman_ | SarathMekala: yeah, that makes sense. | 14:12 |
| xgerman_ | Once we have remote FWG people can mimic the SG behavior, e.g. set in FWG A a rule whic references FWG A and allows access | 14:14 |
| yushiro | thanks. just watched.. | 14:14 |
| annp | xgerman, yes but in the SG, we only care about remote group id | 14:15 |
| xgerman_ | yeah, they only have it as source | 14:16 |
| annp | xgerman, and we dont care about local group id | 14:16 |
| yushiro | +1 SG retrieves 'remote_group_id' as 'source'. | 14:17 |
| xgerman_ | yeah, my main worry is that people will expect us to behave like SG and wonder why we block their traffic… | 14:18 |
| yushiro | xgerman_, Ah, OK. I see your concern point. | 14:19 |
| xgerman_ | we can always document that… | 14:20 |
| yushiro | I think current SG is 'allow wins'. | 14:20 |
| annp | xgerman, +1 :) | 14:21 |
| yushiro | ah, sorry. What I'd like to say is that 'remote_group_id' wins in case of SG. | 14:21 |
| xgerman_ | yeah, they modeled SG after AWS and they moved on, too | 14:22 |
| yushiro | OK | 14:23 |
| yushiro | However, I think FWaaS should keep 'deny wins'. So, it's better to describe in document. | 14:23 |
| xgerman_ | +1 | 14:24 |
| SarathMekala | +1 | 14:24 |
| yushiro | So, if fwg includes at least 1 deny HTTP rule and this fwg is specified 'remote_firewall_group_id', | 14:25 |
| yushiro | HTTP access should be denied from IP addresses which is applied same FWG. | 14:25 |
| yushiro | I think this behavior looks safety side. | 14:26 |
| yushiro | annp, thought? | 14:27 |
| annp | yushiro, not sure, it will make sense for fwaas | 14:27 |
| xgerman_ | I think being explicit with the allows and denying everyhting even if in the same FWG or remote FWG makes sense | 14:28 |
| *** sarathmekala_ has joined #openstack-fwaas | 14:29 | |
| yushiro | xgerman_, +1. FWaaS behavior should keep consistency like 'deny win' | 14:30 |
| yushiro | Adding 'allow fwg rule' and 'remote_fwg_id' are same meaning --> applying 'allow' rule | 14:32 |
| *** SarathMekala has quit IRC | 14:33 | |
| xgerman_ | yep, we to make sure to minimize confusion when people run both, FW and SG, and SG behavior changes because of FW | 14:33 |
| doude | Hi | 14:35 |
| doude | sorry I'm late | 14:35 |
| yushiro | hi, happy new year!!, doude | 14:35 |
| xgerman_ | +1 | 14:35 |
| doude | Thanks, Happy new year tp | 14:35 |
| doude | to* | 14:35 |
| annp | xgerman, yushiro, SarathMekala, Can we come back this topic in next mtg? I would like to dig more about that :) | 14:35 |
| xgerman_ | ok, sounds good | 14:36 |
| yushiro | annp, OK. Maybe you're considering an 'order' of rule.. Let's dig it more. | 14:36 |
| annp | and in next mtg, I hope SridarK and chandanc will be there :) | 14:36 |
| xgerman_ | +1 | 14:36 |
| annp | yushiro, yes :) you read my mind | 14:36 |
| yushiro | haha :) | 14:37 |
| annp | So lets discuss in next mtg | 14:38 |
| yushiro | OK | 14:38 |
| xgerman_ | +1 | 14:38 |
| sarathmekala_ | +1 | 14:39 |
| xgerman_ | #topic Q-3 | 14:39 |
| annp | and i have once more patch need your eye related to firewall driver | 14:39 |
| annp | https://review.openstack.org/#/c/530450/ | 14:39 |
| yushiro | OK | 14:41 |
| xgerman_ | +1 | 14:41 |
| annp | In this patch I try to fix the issue is specified in release note of co-existence patch | 14:41 |
| xgerman_ | I think we have mostly conntrack and remote FWG left for Queens… | 14:41 |
| annp | so please have a look at it :) | 14:42 |
| yushiro | xgerman_, yes. | 14:42 |
| yushiro | I updated etherpad L.89~ | 14:42 |
| annp | xgerman, yes, I think so | 14:43 |
| *** yamamoto has quit IRC | 14:43 | |
| yushiro | bumped patch for Q-3 is 2. 1. Remote fwg 2. Auto association for default fwg | 14:43 |
| xgerman_ | thanks | 14:44 |
| xgerman_ | yeah, we accomplished a lot this cycle already — | 14:45 |
| yushiro | I think doude's work is also worth to try to merge during Q-3... | 14:46 |
| xgerman_ | ok, we should totally aim for that | 14:46 |
| -openstackstatus- NOTICE: zuul has been restarted, all queues have been reset. please recheck your patches when appropriate | 14:46 | |
| yushiro | welcome back, zuul | 14:47 |
| xgerman_ | ;-) | 14:47 |
| doude | I finished to rebase the master branch | 14:48 |
| yushiro | doude, +10 wow, great :) | 14:48 |
| doude | I still have some code to rework (new code since my last patch set) | 14:48 |
| doude | and after I need to validate nothing broken (devstack scripts, gates...) | 14:49 |
| doude | then propose a new patch set to review | 14:49 |
| xgerman_ | yeah, we will do the same once it’s proposed for review ;-) | 14:49 |
| yushiro | OK | 14:49 |
| doude | ok I hope to do that before next weekend | 14:49 |
| xgerman_ | awesome | 14:50 |
| yushiro | :) | 14:50 |
| yushiro | sarathmekala_, Do you have some announcement for horizon part for Q-3? | 14:50 |
| yushiro | s/some/any | 14:51 |
| sarathmekala_ | no yushiro | 14:51 |
| yushiro | OK. BTW, I and xgerman_ has commented your google doc. could you check it later ?? https://docs.google.com/document/d/1yKreFzwHsp-TMhB1xDH-EhGHBTGawFAaG1x6ukGJUK4/edit | 14:52 |
| yushiro | ^^^ last year | 14:52 |
| xgerman_ | with OpenStack going to yearly releases we should aim to get as much into Queens as possible | 14:52 |
| sarathmekala_ | yeah.. had looked at them last year as well :) | 14:52 |
| yushiro | +100 yeah | 14:52 |
| yushiro | sarathmekala_, OK :) | 14:53 |
| sarathmekala_ | +1 | 14:53 |
| sarathmekala_ | yushiro, xgerman_ I will add my replies to the comments | 14:53 |
| yushiro | sarathmekala_, OK, thanks. will check it later :) | 14:54 |
| xgerman_ | T-6 | 14:54 |
| *** annp has quit IRC | 14:55 | |
| yushiro | Please say it again. Everyone, happy new year!! 2018 | 14:55 |
| xgerman_ | +1 | 14:56 |
| xgerman_ | also update your OS(es) | 14:56 |
| yushiro | I hope we can spend wonderful life in this year and make FWaaS much more better. | 14:56 |
| yushiro | :) | 14:57 |
| sarathmekala_ | yushiro, same to you :) | 14:57 |
| xgerman_ | +1 | 14:57 |
| xgerman_ | #endmeeting :-) | 15:00 |
| yushiro | Thanks. bye bye | 15:00 |
| xgerman_ | bye | 15:00 |
| sarathmekala_ | bye all | 15:00 |
| *** yushiro has quit IRC | 15:00 | |
| *** sarathmekala_ has quit IRC | 15:00 | |
| *** yamamoto has joined #openstack-fwaas | 15:01 | |
| doude | bye | 15:02 |
| *** mlavalle has joined #openstack-fwaas | 15:14 | |
| *** jafeha has quit IRC | 16:01 | |
| *** ChanServ sets mode: -r | 16:47 | |
| *** jafeha has joined #openstack-fwaas | 16:57 | |
| *** mlavalle has left #openstack-fwaas | 17:07 | |
| *** SumitNaiksatam has joined #openstack-fwaas | 18:14 | |
| *** yamamoto has quit IRC | 18:29 | |
| *** yamamoto has joined #openstack-fwaas | 18:33 | |
| *** yamamoto has quit IRC | 18:37 | |
| *** yamamoto has joined #openstack-fwaas | 19:35 | |
| *** yamamoto has quit IRC | 19:42 | |
| *** SumitNaiksatam has quit IRC | 20:13 | |
| *** cleong has quit IRC | 21:23 | |
| *** threestrands has joined #openstack-fwaas | 21:35 | |
| *** threestrands has quit IRC | 21:35 | |
| *** threestrands has joined #openstack-fwaas | 21:35 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!