Difference between revisions of "Meetings/Neutron blueprint ovs-firewall-driver"

Revision as of 04:20, 14 December 2013

Meeting Dec 16, 2013

Purpose restatement
Design decisions
- openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
Miscellaneous items:
- ovs_neutron_agent nuances:
  - (1) firewall invoked before agent does anything in C[R]UD operations
  - (2) agent removes all flows at initialization
  - (3) not sure about ovs having atomicity like iptables-restore has (all connections might be dropped/allowed)
- if extra time, quickly mention:
  - working on adding IPv6 flows
  - working on adding multiple ports in range (try port bitmask or N flows per N ports?)
  - of course, need to add unit/integration tests; if someone wants to help on integration tests, that would be good if that's possible
  - neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748
  - other network types: should work as-is since the tunnel OVS flows just pass it to the integration bridge where firewall flows live, but test environment not setup to do so
  - table, priority coordination: ok for now to be hard-coded in Neutron, but will need an abstraction in the future possibly

@@ Line 1: / Line 1: @@
 === '''Meeting Dec 16, 2013''' ===
-* Development discussions:
+* Purpose restatement
-** blueprint ovs-firewall-driver: progress and technical discussion
+* Design decisions
-*** purpose
+** openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
-*** openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
+* Miscellaneous items:
-*** ovs_neutron_agent nuances:
+** ovs_neutron_agent nuances:
-**** (1) firewall invoked before agent does anything in C[R]UD operations
+*** (1) firewall invoked before agent does anything in C[R]UD operations
-**** (2) agent removes all flows at initialization
+*** (2) agent removes all flows at initialization
-**** (3) not sure about ovs having atomicity like iptables-restore has (all connections might be dropped/allowed)
+*** (3) not sure about ovs having atomicity like iptables-restore has (all connections might be dropped/allowed)
-*** if extra time, quickly mention:
+** if extra time, quickly mention:
-**** working on adding IPv6 flows
+*** working on adding IPv6 flows
-**** working on adding multiple ports in range (try port bitmask or N flows per N ports?)
+*** working on adding multiple ports in range (try port bitmask or N flows per N ports?)
-**** of course, need to add unit/integration tests; if someone wants to help on integration tests, that would be good if that's possible
+*** of course, need to add unit/integration tests; if someone wants to help on integration tests, that would be good if that's possible
-**** neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748
+*** neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748
-**** other network types: should work as-is since the tunnel OVS flows just pass it to the integration bridge where firewall flows live, but test environment not setup to do so
+*** other network types: should work as-is since the tunnel OVS flows just pass it to the integration bridge where firewall flows live, but test environment not setup to do so
-**** table, priority coordination: ok for now to be hard-coded in Neutron, but will need an abstraction in the future possibly
+*** table, priority coordination: ok for now to be hard-coded in Neutron, but will need an abstraction in the future possibly