#openstack-fwaas log

14:01:18 <yushiro> #startmeeting fwaas
14:01:24 <openstack> Meeting started Thu Sep 27 14:01:18 2018 UTC and is due to finish in 60 minutes.  The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:01:28 <openstack> The meeting name has been set to 'fwaas'
14:01:45 <yushiro> #chair xgerman_
14:01:45 <openstack> Current chairs: xgerman_ yushiro
14:02:18 <yushiro> I don't see SridarK today.
14:02:40 <yushiro> OK, let's begin.
14:02:42 <yushiro> #topic announcements
14:02:49 <annp> hi
14:03:01 <annp> sorry for come late
14:03:21 <yushiro> annp: Hi.  1 announcement.  Currently, we're "announcement" topic.
14:03:33 <longkb> o/
14:03:46 <yushiro> Hi SridarK :)
14:03:53 <yushiro> #chair SridarK
14:03:54 <openstack> Current chairs: SridarK xgerman_ yushiro
14:04:02 <annp> yushiro, thanks. please go ahead.
14:04:18 <yushiro> SridarK: We're "announcement" topic now :)
14:04:33 <xgerman_> o/
14:04:40 <SridarK_> oops sorry back
14:04:49 <yushiro> OK
14:05:36 <yushiro> I think there is no more announcements.  Let's move on next topic.
14:05:57 <yushiro> #topic Stein
14:06:14 <xgerman_> I think TC vote should close
14:06:23 <yushiro> xgerman_: Aha, yes.
14:07:14 <yushiro> Anything else to announce ??
14:07:36 <yushiro> #chair SridarK_
14:07:37 <openstack> Current chairs: SridarK SridarK_ xgerman_ yushiro
14:07:53 <yushiro> Today, we're 4 cores :)
14:08:00 <xgerman_> summit is like 6 weeks away ;-)
14:08:08 <SridarK_> my evil twin
14:08:17 <SridarK_> some issues with the connectivity
14:08:21 <SridarK_> :-)
14:08:26 <yushiro> SridarK_: Don't warry :)
14:08:36 <yushiro> xgerman_: Yeah, Berlin summit.
14:08:39 <SridarK_> I am multitasking in another mtg so slow
14:08:44 <xgerman_> me, too
14:09:18 <yushiro> Wow, you are busy now.  I see.  I'm multi-task too but chat and eating :)
14:09:33 <xgerman_> oh, I haven’t had breakfast
14:09:35 <SridarK_> :-)
14:10:12 <yushiro> haha
14:10:23 <annp> :-)
14:10:45 <yushiro> So, annp, regarding regression test for fwg logging result, 2 issues are merged,
14:10:49 <yushiro> right ?
14:10:59 <annp> yushiro, right.
14:11:46 <yushiro> longkb: You're trying to follow-up fwg logging patch, and ready for review, right ?
14:11:56 <longkb> yushiro: yep
14:12:22 <yushiro> OK, I'll definitely review this patch in addition to functional patch.
14:12:31 <annp> yushiro, +1
14:12:32 <longkb> There are 02 patches that need review: https://review.openstack.org/#/c/600660/ and https://review.openstack.org/#/c/598601/
14:12:41 <yushiro> longkb: +1
14:12:51 <yushiro> OK, anything else for fwg logging ?
14:13:04 <longkb> ah, don't forget your python-client patch :D yushiro
14:13:26 <yushiro> longkb: Sure.  But it is not for fwg logging but also SNAT one :)
14:13:38 <yushiro> s/not/not only
14:13:43 <longkb> yushiro: +1
14:13:51 <yushiro> Next:  remote fwg
14:14:10 <xgerman_> yeah, not much progress… lot’s of internal stuff
14:14:37 <xgerman_> hoping to some stuff inthe next few days
14:14:43 <yushiro> xgerman_: Sure.  have you fixed DB issue??  If not, we can take a look.
14:15:19 <xgerman_> No, my hunch is still some version mismatch…
14:17:11 <yushiro> annp: Can you take a look https://review.openstack.org/#/c/521207/41  if you have bandwidth?
14:17:26 <annp> yushiro, sure. I will take a look.
14:17:31 <yushiro> annp: :)
14:17:49 <yushiro> #topic specs
14:18:21 <yushiro> fwaas 2.0 address groups support:  https://review.openstack.org/557137
14:18:55 <SridarK_> I recall the contributor had some code in progress
14:19:06 <yushiro> wkite is not here today.
14:19:09 <yushiro> SridarK_: OK
14:19:41 <yushiro> (hongbin) fwaas: add support for dynamic rules https://review.openstack.org/#/c/597724/
14:20:22 <yushiro> We've discussed at PTG but I haven't reviewed yet.  will reflect my comment.
14:20:35 <yushiro> hongbin is not here today.
14:20:52 <yushiro> Same as extend firewall group inclusion https://review.openstack.org/#/c/600261/
14:21:53 <yushiro> #topic Horizon support
14:22:50 <yushiro> Sarath is not here today.  I'll figure out what improvements are necessary in Stein.
14:23:33 <yushiro> #topic bugs
14:24:42 <yushiro> https://bugs.launchpad.net/neutron/+bug/1595440
14:24:42 <openstack> Launchpad bug 1595440 in neutron "neutron-fwaas ships /usr/bin/neutron-l3-agent a 2nd time" [High,Confirmed]
14:25:16 <yushiro> I think it is not issue at present.
14:25:35 <yushiro> It's ok to set 'invalid' or other status as reedip said.
14:26:34 <annp> yushiro, +1
14:26:57 <yushiro> DVR + L3-HA issue: https://review.openstack.org/#/c/580552/
14:27:22 <yushiro> I'm sorry.  I don't have much bandwidth these month.  I need volunteer for this patch.
14:28:13 <yushiro> In case of L3-HA, we should apply fwg rules not only 'active' router but also all of 'standby' routers.
14:28:39 <yushiro> annp: longkb:  I think fwg logging also includes same issue in case of L3-ha.
14:28:44 <annp> yushiro, I can help you :)
14:28:52 <xgerman_> thanks
14:29:14 <annp> yushiro, I'm not sure. Let's us dig more.
14:29:27 <longkb> +1 annp :)
14:30:01 <yushiro> annp: NFLOG rules(logging rules in iptables) should be configured both 'active' and 'standby' routers.
14:30:46 <yushiro> When switching over from 'active' to 'standby' router, only conntrack information should be migrated.  That is current specification of L3-Ha.
14:31:56 <yushiro> In order to apply fwg rules or fwg logging after switch over, we should apply same rule in advance..
14:32:26 <annp> yushiro, yes. I think so.
14:33:19 <yushiro> annp: currently, we are finding router namespace from a neutron port.  Current logic can get only namespace with 'standby' router!!
14:34:20 <yushiro> #topic Open Discussion
14:34:31 <yushiro> Wow, today is so fast :-)
14:34:53 <annp> yushiro, I'll look at the DVR + L3HA after I gain some knowledge.
14:35:05 <xgerman_> I am thinking about throwing up. a patch to enabling ovs L2 by default in our devstack plugin…. Thoughts?
14:35:23 <annp> xgerman_ +1
14:35:27 <SridarK_> yushiro: sorry had "stepped in" to the other mtg
14:35:47 <yushiro> SridarK_: OK :)
14:35:49 <SridarK_> yushiro: +1 on the L3 HA - will sched some time to discuss with u
14:36:00 <yushiro> annp: thanks.
14:36:20 <yushiro> xgerman_: +1
14:36:57 <annp> regards to L7 filtering
14:37:19 <annp> xgerman_, SridarK, yushiro, I've just update spec at https://review.openstack.org/#/c/600714/4/specs/stein/fwaas_l7_filtering.rst
14:37:30 <xgerman_> sweet
14:37:30 <SridarK_> annp: oh great
14:37:37 <yushiro> annp: +100
14:37:46 <annp> So could you take a look at it and give me some comment.
14:37:52 <yushiro> OK.
14:38:06 <annp> I will make it more better :-)
14:38:27 <annp> one more,
14:38:30 <SridarK_> annp: so u are thinking eBPF ?
14:39:04 <annp> SridarK_, yes.
14:39:11 <yushiro> cool
14:39:30 <yushiro> I think eBPF is suitable solution.
14:39:57 <SridarK_> annp: nice
14:40:10 <yushiro> Finally, we can offload some hardwares e.g. smartNIC or FPGA..
14:40:20 <yushiro> by using eBPF
14:40:26 <annp> yushiro, Not sure. :-)
14:40:30 <SridarK_> yushiro: +1
14:40:46 <SridarK_> i think some vendors are supporting this
14:41:07 <yushiro> wow, that's a good news
14:41:17 <xgerman_> +1
14:41:28 <annp> currently, I've just have a  very simple http filter with eBPF
14:41:58 <annp> https://github.com/annp1987/http_filter_with_xdp
14:42:14 <annp> So I think eBPF is suitable for L7 filtering.
14:43:22 <annp> But please note that L7AgentExtension can load other driver except L7 dirver based eBPF
14:43:30 <xgerman_> yeah, cilium is betting their whole business on that fact :-)
14:43:31 <annp> That's my idea.
14:43:51 <yushiro> xgerman_: +1   Cilium is good example :)
14:44:30 <annp> xgerman_, +1
14:44:58 <annp> One more information from me :-)
14:45:25 <annp> Regards to libnetfilter_log, I'd like to moving this part to neutron-lib
14:45:53 <annp> But neutron-lib doesn't allow eventlet. So I discussed with neutron-folks.
14:46:31 <annp> They suggested libnetfilter_log should place at neutron repo as first implementation for SNAT logging.
14:47:20 <annp> So there's duplicate code of libnetfilter_log between neutron-fwaas and neutron
14:47:49 <yushiro> OK
14:47:54 <annp> Can I moving libnetfilter_log and import back to neutron-fwaas?
14:48:46 <yushiro> annp: In the future, libnetfilter_log should be migrated into neutron-lib, right ?
14:48:48 <annp> Same as way, we call some agent stuff from neutron?
14:49:34 <annp> yushiro, Yes. in next cycle.
14:49:55 <yushiro> annp: So, i think it's OK to keep on current code for fwaas.
14:50:16 <yushiro> annp: In next cycle, we can migrate them.
14:50:17 <annp> yushiro, ok. I see.
14:50:28 <annp> that's all from me
14:50:51 <yushiro> OK, anything else to discuss ?
14:51:03 <SridarK_> nothing from me
14:51:06 <yushiro> If not, we're closing a little earlier.
14:51:13 <SridarK_> +1
14:51:29 <yushiro> OK, thanks fwaas guys today!!
14:51:32 <yushiro> #endmeeting