#openstack-fwaas log

14:05:02 <SridarK> #startmeeting fwaas
14:05:03 <openstack> Meeting started Thu Nov 23 14:05:02 2017 UTC and is due to finish in 60 minutes.  The chair is SridarK. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:05:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:05:06 <openstack> The meeting name has been set to 'fwaas'
14:05:14 <SridarK> #chair xgerman_
14:05:15 <openstack> Current chairs: SridarK xgerman_
14:05:47 <SridarK> we did say we can have a very quick mtg eventhough it is  local holiday in the US and Japan
14:05:59 <xgerman_> yeah, let’s keep it brief
14:06:05 <chandanc> sure
14:06:10 <annp> +1
14:06:12 <SridarK> chandanc: thx for the patches
14:06:19 <xgerman_> +1
14:06:26 <chandanc> SridarK: xgerman_ thanks
14:06:37 <chandanc> i think you guys can join the reviewrs
14:06:41 <annp> chandanc: thanks for discussion on the patch. :)
14:06:42 <chandanc> i can add you
14:06:48 <chandanc> ya annp
14:06:49 <SridarK> chandanc: +1
14:06:53 <xgerman_> +1
14:06:56 <SridarK> will look thru it
14:07:02 <xgerman_> same here
14:07:04 <chandanc> me and annp are having some discussion on the design
14:07:13 <SridarK> ok
14:07:29 <chandanc> So i have one update
14:07:39 <chandanc> on the driver front
14:07:54 <SridarK> pls go ahead
14:08:06 <chandanc> i found it difficult to test the different combination of driver with full openstack setup
14:08:17 <chandanc> so here is a simulator for the same
14:08:19 <chandanc> https://bitbucket.org/xchandan/fwaas-test-sim/src
14:08:50 <chandanc> you should be able to test it quite easily with the script
14:08:52 <xgerman_> can we include that in our zuul test suite?
14:09:06 <chandanc> :) sure
14:09:15 <chandanc> but i need your feed backs first
14:09:23 <xgerman_> ok
14:09:37 <chandanc> i am using it to verify if i am on the right path
14:09:52 <chandanc> here is a small demo
14:09:53 <chandanc> https://youtu.be/cuU4duzpCDg
14:10:05 <annp> chandanc: nice!
14:10:22 <chandanc> annp: yes it is saving me some time
14:10:31 <xgerman_> yeah, we should add it to our github
14:10:34 <SridarK> chandanc: interesting so u run ur driver in the simulator
14:11:09 <chandanc> yes, it can run SG/FWAAS/BOTH/NONE  drivers
14:11:31 <chandanc> we can play with all combination and verify if things are correct
14:11:37 <SridarK> chandanc: nice - i will tak a look
14:11:43 <chandanc> sure
14:12:23 <SridarK> anything else u want to bring up for discussion
14:12:33 <annp> chandanc, great idea. I like it.
14:12:51 <SridarK> chandanc: annp: ^^ on the driver, coexistence
14:13:20 <chandanc> I checked the coexistence it works as per expectation
14:13:27 <reedip_> o/
14:13:35 <SridarK> reedip_: hi
14:13:36 <chandanc> but ofcource you can easily veify
14:13:47 <SridarK> chandanc: ok
14:14:02 <annp> regarding to co-existence: I think I and chandanc are almost same page now.
14:14:15 <SridarK> annp: ok good
14:14:19 <chandanc> ya mostly, annp.
14:14:46 <SridarK> although i really wonder if it will be an actual use case except during transition
14:14:59 <chandanc> SridarK: +1
14:15:00 <SridarK> i see people using either fwaas or SG for L2
14:15:33 <SridarK> but it is important that we ensure that it works if for any reason someone wants both
14:15:38 <xgerman_> I can see people until we have strata give SG to users and use FW for admin
14:16:00 <SridarK> xgerman_: yes good point for admin level enforcement
14:17:34 <SridarK> On my side, i will finish the review and test for the L2 Agent PS and have that completed shortly
14:18:00 <SridarK> if nothing else to discuss we can wrap up quickly
14:18:24 <annp> SridarK: I have once
14:18:31 <SridarK> sure go ahead annp
14:19:40 <annp> chandanc, Regarding to port_security_enableb attr Do you want to support port no security on fwg right?
14:20:23 <chandanc> yes annp i would like to have that supported on FWG
14:20:38 <SridarK> i think we will need to follow that like SG
14:20:45 <chandanc> i agree
14:21:04 <annp> chandanc, ok. I can update it.
14:21:25 <chandanc> This is very much required for cases like NFV /VNF
14:22:11 <annp> Regarding to rule ordering: I'd like to generate priority for each rule base position of fwg rule
14:22:32 <xgerman_> yes, we will need that as well
14:22:54 <SridarK> +1
14:23:05 <annp> do you think so chandanc?
14:23:33 <chandanc> +1 i think SG is also trying to do some thing similar
14:23:58 <xgerman_> SG doesn’t need an order since they don’t deny
14:24:07 <annp> in SG case: they don't care about rule order
14:24:23 <xgerman_> +1
14:24:25 <annp> xgerman_ yeah
14:24:42 <SridarK> yes but FWaaS this is mandated as we have done
14:24:46 <SridarK> earlier too
14:25:08 <chandanc> hmm, oh ok. The current implementation in FWAAS driver is to process the rule in order in policy
14:25:24 <chandanc> but the position is the correct way to go
14:26:06 <annp> chandanc: +1 thank. That's all from me
14:26:13 <chandanc> i dont know if the agent, sends a ordered list of rule to the driver by position
14:26:20 <chandanc> sure annp
14:27:03 <SridarK> we do track the position implicitly
14:27:35 <chandanc> i think so, but need confirmation from yushiro
14:27:55 <annp> chandanc, SridarK, from my understanding, each rule has 'position' attr, right?
14:28:08 <chandanc> is there a range for the position ?
14:28:17 <SridarK> +1 yes we do track it
14:28:36 <chandanc> or is it a free flow number ?
14:28:52 <SridarK> inserts are done before _or_ after a rule
14:29:20 <SridarK> i forget exactly the specifics in the db
14:29:33 <SridarK> but we can assume it is done - i will double check that
14:29:45 <chandanc> ok sure
14:30:49 <SridarK> anything else to discuss if not we can call it a wrap
14:30:50 <annp> +1 I will confirm with yushiro tomorrow.
14:31:04 <chandanc> sure annp
14:31:13 <xgerman_> ok, I have one question - I was dabbling with #link https://review.openstack.org/#/c/521207/
14:31:14 <chandanc> I dont have any more on my side
14:31:37 <SridarK> xgerman_: +1 great u got that going
14:31:59 <xgerman_> and extending the API — I am not sure we released V2 so I can extend without writing an explicit extension
14:32:26 <xgerman_> see comment https://review.openstack.org/#/c/521196/4/neutron_lib/api/definitions/firewall_v2.py
14:33:04 <xgerman_> I don’t recall locking our API
14:34:07 <SridarK> xgerman_: i am not sure how that works - given that we have been in neutron lib for a few releases now - i would think that would imply being released
14:34:42 <SridarK> is there something else to indicate that we are freezing or locking our API
14:35:07 <SridarK> since we have the same API for L3 as well
14:35:11 <xgerman_> a stable tag on it
14:35:19 <SridarK> hmm ok
14:35:47 <SridarK> so worst case we need an extension addedf
14:35:50 <SridarK> *added
14:36:10 <xgerman_> yes, I just want to make sure we have our story straight
14:36:24 <SridarK> yes correct agreed
14:38:11 <chandanc> xgerman_: does this mean extension to neutron ?
14:38:35 <SridarK> we probab need some clarification from some folks in neutron on the next step for it
14:38:58 <xgerman_> yeah, I know how extension work + there is always talk about microversioning
14:39:16 <xgerman_> https://developer.openstack.org/api-ref/network/v2/ is confuding since only LBaaS V2 is STABLE
14:39:37 <annp> xgerman_: +1
14:39:52 <SridarK> the holy grail of microversioning :-)
14:41:40 <xgerman_> ok, that was all from me
14:42:12 <SridarK> ok then lets pick it up next week
14:42:22 <chandanc> sure
14:42:42 <annp> I can help if we need a neutron extension. Because i have some experence on that with logging extension. :)
14:43:35 <SridarK> +1 same here but xgerman_ u proab went thru it for lbaas too
14:43:52 <xgerman_> yes, no worries — I just find it annoying
14:43:52 <SridarK> once u know how to do it - it is easy
14:44:10 <SridarK> but the first time is a bit of black magic :-)
14:44:31 <SridarK> Ok folks thanks for joining and have a great week
14:44:40 <SridarK> #endmeeting