#openstack-meeting-alt log

00:01:03 <sc68cal> #startmeeting networking_fwaas
00:01:04 <xgerman> hoangcx I gave you sit rights on the drawing
00:01:05 <openstack> Meeting started Thu Oct 15 00:01:03 2015 UTC and is due to finish in 60 minutes.  The chair is sc68cal. Information about MeetBot at http://wiki.debian.org/MeetBot.
00:01:06 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
00:01:08 <openstack> The meeting name has been set to 'networking_fwaas'
00:01:18 <jwarendt> Hi
00:01:19 <bharathm> o/
00:01:30 <hoangcx> xgerman: Thanks a lot. I will check it
00:01:33 * sc68cal sighs
00:01:45 <xgerman> sc68cal I forgot to add some topics to the agenda
00:02:01 <sc68cal> no worries, I'll try and run through our recap quickly and then let you take over
00:02:18 <xgerman> cool
00:02:25 * sc68cal is banging head against wall for making a neutron_fwaas directory in eavesdrop that he'll have to ignore forever
00:02:39 * xgerman lol
00:02:52 <sc68cal> #topic recap actions from last meeting
00:02:57 <sc68cal> #chair xgerman SridarK
00:02:57 <openstack> Current chairs: SridarK sc68cal xgerman
00:03:06 <sc68cal> #link http://eavesdrop.openstack.org/meetings/networking_fwaas/2015/networking_fwaas.2015-10-07-18.32.html Minutes from last meeting
00:03:12 <sc68cal> xgerman: looks like it's all you
00:03:37 <SridarK> xgerman: the spotlight is on :-)
00:03:58 <xgerman> alreday
00:04:12 <xgerman> so Midccyle
00:04:29 <xgerman> HP can host the mid cycle in Seattle
00:04:52 <xgerman> I am wondering if we should start some eitherpad to vote on time/location
00:05:34 <SridarK> xgerman: +1, if folks want to come to the bay area, i can arrange to host as well
00:06:17 <sc68cal> I'm +1 for SEA. Was easy for me from US East Coast
00:06:42 <xgerman> #link https://etherpad.openstack.org/p/fwaas_mitaka_midcyle
00:06:45 <sc68cal> SEA is probably good for APAC too, only people who it's tough for is probably Europe
00:07:06 <xgerman> yeah, on that note we have trouble to fund International travel
00:07:55 <sc68cal> doh. xgerman you are in europe aren't you?
00:08:05 <xgerman> nope, I am in San Diego
00:08:16 * sc68cal breathes sigh of relief
00:08:31 <xgerman> but Seattle is our base so easy to get to (for me)
00:08:50 <SridarK> given the time of the year, we stay on the west coast :-)
00:09:45 <xgerman> +1
00:09:50 <mickeys> +1
00:10:19 <jwarendt> +1
00:10:20 <xgerman> for dates I am gone most of December so I would say we should aim for January/early february
00:10:33 <xgerman> also I think we are supposed to coordinate with armax
00:10:58 <armax> xgerman: yes
00:11:10 <armax> I talked to mugsie (I don’t recall the irc)
00:11:16 <xgerman> that’s him
00:11:22 <xgerman> Graham in real life
00:11:29 <armax> xgerman: I am hoping to get the summit out of the way first
00:11:34 <xgerman> k
00:11:45 <armax> but most definitely it makes sense to coordinate
00:11:59 <armax> xgerman: if you’re out December
00:12:24 <xgerman> well, I am out beginning 12/15 so the first few weeks might still work ;-)
00:12:25 <armax> xgerman: that means we’d need to defer the Neutron mid-cycle meetup and we typically had that in December
00:12:30 <armax> xgerman: ok
00:12:48 <xgerman> also I usually skip the Neutron mid cycle...
00:13:04 <sc68cal> I've been going to them, so I think we'll have coverage there
00:13:11 <xgerman> cool
00:13:27 <armax> so you guys are thinking of Dublin as venue?
00:13:44 <xgerman> that would be LBaaS/DNSaaS joint meeting
00:13:55 <xgerman> FWaaS is different and dougwig said we should keep separate
00:14:21 <xgerman> but right now a lot of stuff is in the air...
00:14:28 <armax> so ideally you’d want these to be back-to-back?
00:14:34 <armax> or simply not conflict?
00:14:41 <armax> and spaced them out
00:14:41 <armax> ?
00:14:43 <xgerman> simply not conflict
00:14:55 <armax> xgerman: ok fair enough
00:15:30 <armax> noted in my list of chores
00:15:38 <armax> anything else from me?
00:15:52 <xgerman> nope - otherwise we are pretty self organizing
00:16:11 <sc68cal> all hail the PTL!
00:16:16 * xgerman bows
00:16:18 <armax> xgerman: excellent
00:16:24 <SridarK> +1 ;-)
00:16:26 * armax blushes
00:16:50 <sc68cal> On that note, xgerman how did prioritization go?
00:16:59 <xgerman> done
00:17:40 <sc68cal> xgerman: i forget which link is for this
00:18:23 <sc68cal> ahhh sorry - dumb thing. The bugs in launchpad
00:18:31 <xgerman> yep, you made a Google link
00:18:54 <sc68cal> cool - thanks for doing that :)
00:19:29 <sc68cal> If anyone has a bug that they think needs different priority, feel free to reach out
00:19:38 <xgerman> +1
00:19:46 <sc68cal> xgerman: how about the google doc, that was the last thing
00:20:19 <xgerman> I complained to the corporate people and it seems I can share with people’s e-mail
00:20:46 <xgerman> #link https://docs.google.com/a/hpe.com/drawings/d/1eFDVOtkwG2Flt54zqZcAFnOY9cww_EgJKuIp9aPqAIs/edit?usp=sharing
00:20:58 <sc68cal> might be worth taking and copying into an etherpad or something where we don't have to add people
00:21:11 <xgerman> I think that link allows to edit
00:21:22 <xgerman> those options just showed up today
00:21:42 <sc68cal> hmm, I had to request access
00:21:57 <SridarK> xgerman: yes ^^^ same here
00:21:57 <xgerman> nope, then it doesn’t work :-(
00:22:00 <sc68cal> I think maybe it's time to move it to etherpad.
00:22:03 * hoangcx just got approved about that :-)
00:22:08 <SridarK> just pushed that button
00:22:30 <sc68cal> my main concern is having it publicly accessible
00:22:46 <sc68cal> the trello board, yeah you had to get access to edit, but at least accessible publicly
00:23:32 <xgerman> yeah, as I said this is all still in flight of there at HP
00:23:49 <xgerman> should have used a non-HP Google Drawing account
00:24:19 <sc68cal> oh. It's the _drawing_
00:24:48 <xgerman> yep
00:24:55 <sc68cal> sorry, beig stupid tonight. Though there was some other google doc
00:25:30 <sc68cal> ok, anyway I'll hand it over to xgerman since you had a couple topics you wanted to discuss?
00:25:39 <sc68cal> (make sure to use #topic)
00:25:50 <xgerman> #topic Design session
00:26:10 <xgerman> #link https://etherpad.openstack.org/p/mitaka-neutron-next-adv-services
00:26:30 <xgerman> so we have a session on fwaas
00:27:05 <SridarK> lets get the DVR related discussion covered for the broader audience there
00:27:11 <sc68cal> ^ ++
00:27:15 <xgerman> +
00:27:43 <SridarK> But we hope to get some good discussion going before that
00:27:58 <xgerman> yeah
00:28:05 <SridarK> so it will be ideal if we can lay out some options here, perhaps that is a bit optimistic
00:28:11 <SridarK> but we can shoot for that
00:28:23 <xgerman> I chatted with jwarendt and we came up with a few things we think can be achieved in M
00:28:30 <mickeys> We need to know if any of the 2-stage proposals (going through router at both source and destination) will fly. Swami is supposed to write one option up. I am supposed to write another option up.
00:28:36 <mickeys> For DVR
00:28:52 <xgerman> oh, ok
00:29:06 <xgerman> would that work with our new port based idea?
00:29:37 <SridarK> mickeys:, badveli: & I had a quick sync with Swami as well to at least lay out some issues so we have some background set
00:29:40 <mickeys> Does not matter whether it is the router in its entirety or a router port. If it goes through the router and it is asymmetric, it breaks conntrack
00:29:55 <mickeys> If it is not router port, no issue with DVR
00:29:59 <xgerman> we were worried about that
00:30:07 <xgerman> conntrack...
00:30:55 <mickeys> I believe we either need to have a DVR mode that is symmetric, with 2-stage forwarding, or we need to change the semantics of FWaaS so that router stuff is only north-south
00:31:17 <xgerman> I think the later might be ok
00:31:36 <xgerman> mostly east-west will be between vms
00:31:38 <SridarK> xgerman: i am not sure if that will fit all deployments
00:31:50 <mickeys> That is the big question that we need answered coming out of Tokyo
00:31:52 <SridarK> if they are different subnets
00:31:58 <xgerman> yeah, there are always edge-cases :-)
00:32:14 <SridarK> yes that we need to flush those out
00:32:44 <xgerman> mickeys — that would be more an ML question with a follow up in Tokyo or vice versa
00:32:59 <SridarK> xgerman: were u thinking on the router port(s) aspect as a priority (ur discussion with jwarendt ^^^ )
00:33:19 <xgerman> we just like ports
00:33:26 <SridarK> xgerman: i agree
00:33:48 <xgerman> hence my second bullet “Define clearly what a port is"
00:33:53 <mickeys> The etherpad already laid out a few options. With Swami, SridarK, badveli, trying to come up with enough detail on 2-stage forwarding so that DVR folks can say yes or no
00:34:01 <xgerman> #link https://etherpad.openstack.org/p/mitaka-neutron-next-adv-services
00:35:32 <SridarK> mickeys: if it is conditional of FWaaS being configured - i think what we have is a resonble approach
00:36:00 <SridarK> but we can try to close at the summit
00:36:06 <sc68cal> ^ +1
00:36:34 <sc68cal> one of my concerns is, define behaviors at the API level - don't let one implementation define behaviors that others can't do
00:37:00 <sc68cal> we want it to work with DVR - obviously, but in a way where the API makes sense in all cases and for all implementations
00:37:26 <xgerman> yep, we might just say if you use DVR router ports are only south-west
00:37:42 <xgerman> so all the people who skip DVR can have east-west ;-)
00:38:01 <mickeys> Actually, for DVR, only policies on north/gateway ports on routers
00:38:07 <mickeys> Both directions
00:38:24 <mickeys> If we don't do 2-stage forwarding
00:38:58 <xgerman> ok, but as sc68cal said that shouldn’t stop us in API design...
00:39:46 <SridarK> mickeys: yes that was change to be done so FWaaS was not completely broken with DVR
00:39:54 <SridarK> in Juno
00:40:22 <mickeys> One option is to keep that restriction going forward, but cleaner because it will be explicitly tied to the gateway port
00:41:10 <xgerman> yeah, we can clearly roadmap that - so we have the restriction in M but N we might have 2-stage-forwarding...
00:42:28 <SridarK> getting in basic "tying to port(s)" support should be straightforward, always had that in mind even with Router Insertion
00:43:15 <SridarK> the FW and insertion point association are kept in a separate table, for ease of supporting different insertion models
00:45:04 <xgerman> yeah, so that would mean no changes to the data model
00:45:31 <SridarK> xgerman: yes not for the FW resource
00:45:46 <SridarK> keeps it less messy
00:46:37 <mickeys> I thought the firewall resource is where the association is kept. The policy and rules are separate.
00:46:46 <SridarK> mickeys: yes
00:46:59 <SridarK> the association with FW and Policy
00:47:20 <SridarK> but the association with the FW and insertion point is outside of the FW table
00:47:56 <SridarK> earlier the FW was pushed to all routers on that tenant - so nothing was tracked
00:48:12 <SridarK> the agent managed most of that
00:51:38 <sc68cal> time check, only 10 minutes left
00:52:00 <sc68cal> anyone have anything to add? hoangcx ?
00:52:17 <xgerman> one more thing
00:52:34 <xgerman> Please review: #link https://review.openstack.org/#/c/231246/
00:52:44 <hoangcx> sc68cal: Yeah. Would love change status from "Confirm" to "Triage" for the Logging API
00:52:53 <reedip> Just a query to everyone: Would ICMP code based filtering be a part of FWaaS ?
00:53:04 <hoangcx> #link https://bugs.launchpad.net/neutron/+bug/1468366
00:53:04 <openstack> Launchpad bug 1468366 in neutron "RFE - Logging API for security group and firewall rules" [High,Confirmed] - Assigned to Yushiro FURUKAWA (y-furukawa-2)
00:53:23 <xgerman> I think it could be
00:53:23 <hoangcx> Thanks xgerman for setting pritority
00:53:39 <xgerman> reedip
00:54:44 <reedip> xgerman: but I guess it would require a detailed discussion bcz it would impact Usability (Client/Horizon)as well the base code
00:55:13 <xgerman> I see it as part of our DPI aspirations
00:55:24 <annp> xgerman +1
00:55:26 <xgerman> which would need those changes anyway
00:55:55 <reedip> DPI ?
00:56:06 <xgerman> Deep Packet Inspection
00:56:12 <reedip> Oh , ok...
00:57:49 <hoangcx> sc68cal, xgerman, SridarK: We are focusing on the logging design. So it is better if the status change to "Triaged" to get more attention from others to file it, especially for upstair people.
00:58:35 <xgerman> hoangcx got it
00:58:39 <xgerman> done +done
00:58:51 <badveli> sorry i was another wrong channel from morning
00:59:04 <hoangcx> xgerman: Thank you so much :-)
00:59:18 <xgerman> ok, out of time...
00:59:31 <xgerman> #endmeeting