#openstack-fwaas log

14:00:40 <SridarK> #startmeeting fwaas
14:00:40 <openstack> Meeting started Thu May  3 14:00:40 2018 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:41 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:44 <openstack> The meeting name has been set to 'fwaas'
14:00:51 <SridarK> #chair xgerman_
14:00:51 <openstack> Current chairs: SridarK xgerman_
14:01:15 <SridarK> yushiro is out this week on time off
14:01:24 <reedip_> o/
14:02:00 <doude> hi
14:02:40 <SridarK> #topic announcements
14:03:33 <xgerman_> o/
14:03:45 <annp> hi
14:03:49 <xgerman_> So the new TC got lected
14:04:07 <SridarK> PTG announcement - it will be in Denver in Sep - if folks want to plan for it
14:04:34 <xgerman_> #link https://governance.openstack.org/election/results/rocky/tc.html
14:04:43 <xgerman_> yesh, train 2.0
14:05:01 <SridarK> xgerman_: :-)
14:05:19 <SridarK> although i saw email that it will be better this time
14:05:48 <SridarK> any other announcements from folks ?
14:05:52 <SridarK> xgerman_:
14:05:54 <reedip_> I might miss it :(
14:06:25 <SridarK> reedip_: I am not sure either it is a bit early to decide
14:07:04 <SridarK> ok lets move on
14:07:27 <SridarK> #topic Rocky Pluggable backend driver
14:07:32 <SridarK> doude: pls go ahead
14:09:07 <doude> I fixed the issue raised in reviews
14:09:28 <doude> and pushed a new patch set #20 last week
14:09:54 <doude> I also send a answer to NSX developper today
14:10:03 <SridarK> annp: thx for the tests
14:10:10 <xgerman_> +1
14:10:17 <annp> doude, SridarK, I tried to tested with latest patch, It worked fine in my environment.
14:10:33 <SridarK> annp: great
14:10:39 <annp> SridarK, Have you tested with latest patch?
14:10:52 <doude> thanks for your feedback annp
14:11:08 <SridarK> doude: sounds good - i think we can confirm with the NSX folks
14:11:12 <annp> doube, you're welcome
14:11:14 <SridarK> then we should be good
14:11:27 <annp> SridarK, +1
14:11:34 <SridarK> annp: no i have not yet - will do so tomorrow
14:11:48 <annp> +1
14:11:52 <doude> yes SridarK I also invite her to reach me on IRC to discuss it if needed
14:12:01 <SridarK> doude: perfect
14:12:30 <SridarK> and annp u have verfied on a multinode setup ?
14:13:06 <annp> SridarK, I haven't verfied on multiple node environment yet.
14:13:23 <annp> SridarK, I'm planing do this in tomorrow.
14:13:24 <SridarK> annp: ok, i recalled yushiro mentioning that
14:13:32 <SridarK> annp: oh ok good
14:13:52 <SridarK> doude: anything else u would like to discuss ?
14:13:54 <annp> I will comment on gerrit when i finish testing
14:14:53 <doude> no I'm good
14:15:16 <annp> doube, +1 :)
14:15:25 <SridarK> #topic Rocky Remote FWG
14:15:30 <SridarK> xgerman_: pls go ahead
14:15:59 <xgerman_> ok, I am battling sql alchemy — somehow my model doesn’t align with the  update scripts
14:16:13 <xgerman_> I also started with the ovs conjecture stuff
14:16:33 <SridarK> xgerman_: i saw the other patch
14:17:14 <xgerman_> yes, the conjecture is super interesting… and I also will need to do the router port stuff
14:17:39 <xgerman_> if anyone wants to help I am happy to split accordingly
14:18:13 <annp> xgerman_, I can help you :)
14:18:15 <reedip_> share the sql alchemy patch please :)
14:18:42 <xgerman_> #link https://review.openstack.org/#/c/521207/
14:18:52 <SridarK> xgerman_: as a usecase would the Router port be just as important as the L2 port as well ?
14:19:38 <xgerman_> the remote fwg resolve to the ip addresses on the ports. So you would drop/deny/accept traffic if those ips are in src/dst
14:19:52 <xgerman_> that looked like a router port application
14:20:01 <SridarK> yes agree
14:20:30 <xgerman_> though if you have L2 that might be redundant
14:22:54 <annp> xgerman_, +1
14:23:48 <SridarK> sounds good, i have to understand the mapping on the driver side
14:24:04 <SridarK> xgerman_: anything else u would like to discuss
14:24:11 <xgerman_> no, that’s all
14:24:22 <SridarK> ok lets move on
14:24:47 <SridarK> #topic Rocky FWaaS Logging Spec
14:24:59 <SridarK> annp: pls go ahead
14:25:29 <annp> There is one question from amotoki
14:26:14 <annp> I'm not sure whether we need a L3 logging extension same fwaas v2 or not.
14:26:28 <amotoki> in my understanding, ovs flows for logging are installed by l2-agent, but iptables rule in l3 netns will be installed by l3-agent.
14:27:03 <amotoki> this is the reason of my question
14:27:35 <annp> amotoki, So we need a l3 logging extension, right?
14:28:01 <amotoki> annp: I am not sure on the point honestly
14:28:29 <amotoki> at least it sounds odd to me that l2-agent extension manages l3 iptable rules.
14:28:56 <xgerman_> yeah, l2 will only see packets l3 passed
14:29:12 <amotoki> I believe iptables in router netns should be managed by l3-agent
14:29:20 <xgerman_> +1
14:29:21 <annp> amotoki, yes. So it's better to follow fwaas v2 worked
14:29:46 <amotoki> annp: what do mean by "follow fwaas v2 worked" ?
14:30:12 <annp> amotoki, I mean we will have l3 logging extension
14:30:23 <amotoki> okay
14:31:06 <annp> amotoki, Do we need to mention this point on spec?
14:31:22 <amotoki> annp: I believe so.
14:31:43 <annp> amotoki, Agree!
14:31:57 <amotoki> this is related to what agent extension we need to implement it.
14:32:21 <annp> amotoki, I will update spec. Thanks
14:32:30 <amotoki> apart from that, I see no other blocking issue in the spec.
14:32:45 <annp> amotoki, +1
14:32:48 <SridarK> annp: i think u are clear on the driver aspect but perhaps u just need to clear up on the agent ext
14:33:12 <annp> SridarK, yeah. It should be clearly.
14:34:00 <annp> SridarK, that's all for fwaas logging spec
14:34:06 <amotoki> I just concerned l3 stuff is managed by l2 agent ext when I read the spec. I believe we are in the same page.
14:34:41 <annp> amotoki, yes, we're same page now :) Thanks.
14:34:42 <SridarK> +1
14:34:55 <SridarK> ok sounds good -
14:35:01 <amotoki> :)
14:35:10 <annp> :)
14:35:21 <annp> SridarK, please move on
14:35:29 <SridarK> #topic Rocky Address Group Spec
14:35:35 <SridarK> wkite: pls go ahead
14:35:59 <SridarK> #link https://review.openstack.org/557137
14:36:18 <SridarK> request folks to take a look as well
14:37:08 <SridarK> wkite: would u like to discuss something here
14:37:50 <SridarK> wkite: thx for addressing the comments from before
14:38:33 <SridarK> ok if nothing lets move on
14:38:53 <SridarK> #topic Stateless Firewall
14:38:57 <SridarK> ndefigueiredo: hi
14:39:21 <SridarK> ndefigueiredo: would u like to update on any recent activity
14:40:20 <ndefigueiredo> Hi all, unfortunately I have not been able to work on the stateless firewall. I have been engaged with setting up our third party CI.
14:40:55 <SridarK> ndefigueiredo: ok keep us updated on when things pick up and we can discuss
14:41:36 <SridarK> #topic Open Discussion
14:41:55 <ndefigueiredo> yes, will do, once the CI is up and running I will be able to move on to actual Neutron development.
14:42:01 <amotoki> back to the past topic. just a maintenance question: I see a blueprint but do we have a RFE on the address group?
14:42:05 <SridarK> We have an action to triage bugs - we will get it done and then discuss
14:42:26 <reedip_> We need to discuss the bugs
14:42:35 <reedip_> which are open/in progress
14:42:49 <SridarK> wkite: ^^^ i think u were going to file an RFE
14:42:57 <SridarK> for Address Groups
14:43:33 <SridarK> reedip_: lets do some triage offline and bring it up in next mtg
14:43:46 <annp> xgerman, SridarK, Can you do me a favor?
14:43:53 <xgerman_> sure
14:43:55 <SridarK> annp: sure
14:44:35 <amotoki> wkite: SridarK: it would be appreciated if you add a link to an RFE to the spec of address group. I just could not identify it.
14:44:42 <annp> xgerman, SridarK, yeah. Can you become moderator for topic https://etherpad.openstack.org/p/fwaas-v2-L7-filtering at vancouver's forum?
14:44:51 <SridarK> annp: sure
14:45:26 <SridarK> annp: is there some procedure to be followed or u can just add us ?
14:45:45 <annp> xgerman, SridarK, I'm afraid my english not enough to discussion :(
14:45:53 <SridarK> amotoki: agreed, not sure if wkite stepped away
14:46:21 <SridarK> annp: i think ur English is good but we can help
14:46:33 <amotoki> SridarK: no problem. if needed, let's file it.
14:46:56 <annp> SridarK, I guess I just add u and xgerman_ but let me find out
14:46:59 <amotoki> annp: no worries on english.
14:47:14 <xgerman_> annp: we will be there if added or not
14:47:22 <SridarK> annp: ok sounds good
14:47:35 <SridarK> xgerman_: +1
14:47:43 <amotoki> regarding the forum topic, we can add questions in advance if we have.
14:48:01 <annp> amotoki, thank you. actually, I'm not confident about english skill and technical also :)
14:48:06 <reedip_> sorry guys, but got to go... would be back next week ... thanks :) @SridarK: will do some more triaging offline
14:48:07 <amotoki> I wonder how the reference implement of L7 firewall would be.
14:48:21 <SridarK> reedip_: sounds good
14:48:49 <annp> amotoki, how about bpf?
14:49:11 <xgerman_> +1 bpf
14:49:14 <SridarK> annp: we should also meet up earlier in Vancouver and have a discussion on some thoughts, usecase, potential implementation approaches
14:49:25 <xgerman_> yes, being prepared is always good
14:49:44 <amotoki> annp: it is a good candidate. I am not sure at now what level of filtering bpf supports.
14:49:46 <annp> SridarK, sure. When will you reach out vancouver?
14:50:03 <SridarK> annp: I get there on Sun afternoon
14:50:13 <xgerman_> I et there Sunday night and Monday are all the LBaaS talks
14:50:30 <annp> SridarK, I will get ther on Sun evening.
14:51:08 <SridarK> Ok we should set some time and location so we can meet
14:51:10 <amotoki> I think we can add more breakdown sub-topics to the etherpad :)
14:51:37 <annp> amotoki, let's me find out your question.
14:51:55 <amotoki> when is the session scheduled?
14:52:01 <SridarK> amotoki: yes we shd do that
14:52:23 <annp> amotoki, Thursday morning
14:52:42 <amotoki> nice, we have enough time at YVR :)
14:52:52 <SridarK> amotoki: would u also be available for some initial discussions ?
14:53:22 <amotoki> SridarK: I hope so. I can be there with 99% though I haven't got the final approval.
14:53:50 <SridarK> amotoki: oh ok - we will keep u in the loop
14:53:55 <amotoki> thanks
14:55:07 <annp> SridarK, amotoki, xgerman, How about Tuesday morning?
14:55:18 <SridarK> annp: yes that works
14:56:23 <SridarK> we can continue discussion in etherpad (may be a separate one we can use for coordination)
14:56:35 <amotoki> +1
14:56:49 <annp> SridarK, +1
14:58:45 <SridarK> annp: sounds good and we can discuss on the channel as well - if u want to a fix a time - pls send us an email
14:58:57 <SridarK> ok i think we are almost at time
14:59:06 <annp> SridarK, Sure.
14:59:09 <SridarK> thanks all for joining
14:59:18 <SridarK> #endmeeting