14:01:18 #startmeeting fwaas 14:01:24 Meeting started Thu Sep 27 14:01:18 2018 UTC and is due to finish in 60 minutes. The chair is yushiro. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:25 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:01:28 The meeting name has been set to 'fwaas' 14:01:45 #chair xgerman_ 14:01:45 Current chairs: xgerman_ yushiro 14:02:18 I don't see SridarK today. 14:02:40 OK, let's begin. 14:02:42 #topic announcements 14:02:49 hi 14:03:01 sorry for come late 14:03:21 annp: Hi. 1 announcement. Currently, we're "announcement" topic. 14:03:33 o/ 14:03:46 Hi SridarK :) 14:03:53 #chair SridarK 14:03:54 Current chairs: SridarK xgerman_ yushiro 14:04:02 yushiro, thanks. please go ahead. 14:04:18 SridarK: We're "announcement" topic now :) 14:04:33 o/ 14:04:40 oops sorry back 14:04:49 OK 14:05:36 I think there is no more announcements. Let's move on next topic. 14:05:57 #topic Stein 14:06:14 I think TC vote should close 14:06:23 xgerman_: Aha, yes. 14:07:14 Anything else to announce ?? 14:07:36 #chair SridarK_ 14:07:37 Current chairs: SridarK SridarK_ xgerman_ yushiro 14:07:53 Today, we're 4 cores :) 14:08:00 summit is like 6 weeks away ;-) 14:08:08 my evil twin 14:08:17 some issues with the connectivity 14:08:21 :-) 14:08:26 SridarK_: Don't warry :) 14:08:36 xgerman_: Yeah, Berlin summit. 14:08:39 I am multitasking in another mtg so slow 14:08:44 me, too 14:09:18 Wow, you are busy now. I see. I'm multi-task too but chat and eating :) 14:09:33 oh, I haven’t had breakfast 14:09:35 :-) 14:10:12 haha 14:10:23 :-) 14:10:45 So, annp, regarding regression test for fwg logging result, 2 issues are merged, 14:10:49 right ? 14:10:59 yushiro, right. 14:11:46 longkb: You're trying to follow-up fwg logging patch, and ready for review, right ? 14:11:56 yushiro: yep 14:12:22 OK, I'll definitely review this patch in addition to functional patch. 14:12:31 yushiro, +1 14:12:32 There are 02 patches that need review: https://review.openstack.org/#/c/600660/ and https://review.openstack.org/#/c/598601/ 14:12:41 longkb: +1 14:12:51 OK, anything else for fwg logging ? 14:13:04 ah, don't forget your python-client patch :D yushiro 14:13:26 longkb: Sure. But it is not for fwg logging but also SNAT one :) 14:13:38 s/not/not only 14:13:43 yushiro: +1 14:13:51 Next: remote fwg 14:14:10 yeah, not much progress… lot’s of internal stuff 14:14:37 hoping to some stuff inthe next few days 14:14:43 xgerman_: Sure. have you fixed DB issue?? If not, we can take a look. 14:15:19 No, my hunch is still some version mismatch… 14:17:11 annp: Can you take a look https://review.openstack.org/#/c/521207/41 if you have bandwidth? 14:17:26 yushiro, sure. I will take a look. 14:17:31 annp: :) 14:17:49 #topic specs 14:18:21 fwaas 2.0 address groups support: https://review.openstack.org/557137 14:18:55 I recall the contributor had some code in progress 14:19:06 wkite is not here today. 14:19:09 SridarK_: OK 14:19:41 (hongbin) fwaas: add support for dynamic rules https://review.openstack.org/#/c/597724/ 14:20:22 We've discussed at PTG but I haven't reviewed yet. will reflect my comment. 14:20:35 hongbin is not here today. 14:20:52 Same as extend firewall group inclusion https://review.openstack.org/#/c/600261/ 14:21:53 #topic Horizon support 14:22:50 Sarath is not here today. I'll figure out what improvements are necessary in Stein. 14:23:33 #topic bugs 14:24:42 https://bugs.launchpad.net/neutron/+bug/1595440 14:24:42 Launchpad bug 1595440 in neutron "neutron-fwaas ships /usr/bin/neutron-l3-agent a 2nd time" [High,Confirmed] 14:25:16 I think it is not issue at present. 14:25:35 It's ok to set 'invalid' or other status as reedip said. 14:26:34 yushiro, +1 14:26:57 DVR + L3-HA issue: https://review.openstack.org/#/c/580552/ 14:27:22 I'm sorry. I don't have much bandwidth these month. I need volunteer for this patch. 14:28:13 In case of L3-HA, we should apply fwg rules not only 'active' router but also all of 'standby' routers. 14:28:39 annp: longkb: I think fwg logging also includes same issue in case of L3-ha. 14:28:44 yushiro, I can help you :) 14:28:52 thanks 14:29:14 yushiro, I'm not sure. Let's us dig more. 14:29:27 +1 annp :) 14:30:01 annp: NFLOG rules(logging rules in iptables) should be configured both 'active' and 'standby' routers. 14:30:46 When switching over from 'active' to 'standby' router, only conntrack information should be migrated. That is current specification of L3-Ha. 14:31:56 In order to apply fwg rules or fwg logging after switch over, we should apply same rule in advance.. 14:32:26 yushiro, yes. I think so. 14:33:19 annp: currently, we are finding router namespace from a neutron port. Current logic can get only namespace with 'standby' router!! 14:34:20 #topic Open Discussion 14:34:31 Wow, today is so fast :-) 14:34:53 yushiro, I'll look at the DVR + L3HA after I gain some knowledge. 14:35:05 I am thinking about throwing up. a patch to enabling ovs L2 by default in our devstack plugin…. Thoughts? 14:35:23 xgerman_ +1 14:35:27 yushiro: sorry had "stepped in" to the other mtg 14:35:47 SridarK_: OK :) 14:35:49 yushiro: +1 on the L3 HA - will sched some time to discuss with u 14:36:00 annp: thanks. 14:36:20 xgerman_: +1 14:36:57 regards to L7 filtering 14:37:19 xgerman_, SridarK, yushiro, I've just update spec at https://review.openstack.org/#/c/600714/4/specs/stein/fwaas_l7_filtering.rst 14:37:30 sweet 14:37:30 annp: oh great 14:37:37 annp: +100 14:37:46 So could you take a look at it and give me some comment. 14:37:52 OK. 14:38:06 I will make it more better :-) 14:38:27 one more, 14:38:30 annp: so u are thinking eBPF ? 14:39:04 SridarK_, yes. 14:39:11 cool 14:39:30 I think eBPF is suitable solution. 14:39:57 annp: nice 14:40:10 Finally, we can offload some hardwares e.g. smartNIC or FPGA.. 14:40:20 by using eBPF 14:40:26 yushiro, Not sure. :-) 14:40:30 yushiro: +1 14:40:46 i think some vendors are supporting this 14:41:07 wow, that's a good news 14:41:17 +1 14:41:28 currently, I've just have a very simple http filter with eBPF 14:41:58 https://github.com/annp1987/http_filter_with_xdp 14:42:14 So I think eBPF is suitable for L7 filtering. 14:43:22 But please note that L7AgentExtension can load other driver except L7 dirver based eBPF 14:43:30 yeah, cilium is betting their whole business on that fact :-) 14:43:31 That's my idea. 14:43:51 xgerman_: +1 Cilium is good example :) 14:44:30 xgerman_, +1 14:44:58 One more information from me :-) 14:45:25 Regards to libnetfilter_log, I'd like to moving this part to neutron-lib 14:45:53 But neutron-lib doesn't allow eventlet. So I discussed with neutron-folks. 14:46:31 They suggested libnetfilter_log should place at neutron repo as first implementation for SNAT logging. 14:47:20 So there's duplicate code of libnetfilter_log between neutron-fwaas and neutron 14:47:49 OK 14:47:54 Can I moving libnetfilter_log and import back to neutron-fwaas? 14:48:46 annp: In the future, libnetfilter_log should be migrated into neutron-lib, right ? 14:48:48 Same as way, we call some agent stuff from neutron? 14:49:34 yushiro, Yes. in next cycle. 14:49:55 annp: So, i think it's OK to keep on current code for fwaas. 14:50:16 annp: In next cycle, we can migrate them. 14:50:17 yushiro, ok. I see. 14:50:28 that's all from me 14:50:51 OK, anything else to discuss ? 14:51:03 nothing from me 14:51:06 If not, we're closing a little earlier. 14:51:13 +1 14:51:29 OK, thanks fwaas guys today!! 14:51:32 #endmeeting