Meetings/Neutron blueprint ovs-firewall-driver

Discussion for 

Meeting Dec 16, 2013

 * Purpose restatement
 * Design decisions
 * openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
 * example of api changes in neutron: https://review.openstack.org/#/c/62129/
 * example of api changes in neutronclient: https://review.openstack.org/#/c/62130/
 * ovs_neutron_agent issues/tasks
 * (1) firewall invoked before agent does anything in C[R]UD operations
 * need to at least move VLAN provisioning before firewall invocation (to have correct OVS action on ALLOW path)
 * (2) agent removes all flows at initialization (as well as deletes all vif's flows on port_bound)
 * requires OVS 1.5.0+ to delete flows based on cookie (current version in XenServer 6.2 and Ubuntu P/Q-release is 1.4.6)
 * Overview of prototype
 * all security group flows on integration bridge
 * currently all on table 0, thinking about multi-table setup (table0 port security, other: ingress, egress)
 * prototype tested on flat network setup; should work on other network types as-is since the tunnel OVS flows just pass the data to the integration bridge
 * still a major WIP:
 * adding IPv6 flows
 * adding multiple ports in range: debating trying out port bitmask or N flows for N ports or any other suggestions?
 * TODO unit/integration tests (integration tests help is always appreciated)
 * other ovs_neutron_agent issues:
 * lacking ovs atomicity like iptables-restore has (all connections might be dropped/allowed): one possibility is to have a dynamic multi-table hotswap
 * neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748 (addressed by https://review.openstack.org/#/c/62346/)
 * table, priority, cookie, actions coordination: ok for now to be hard-coded in Neutron, but will need an abstraction layer in the future possibly