Open vSwitch-based Security Groups: Open vSwitch Implementation of FirewallDriver

-Oct-19-2105(armax): I guess we'll get to this eventually. But it looks like this may need to go through the process once again.

- 11/27/2013 (amir-sadoughi): Working on a first draft approach to upload by next week (with flat networks).
- 12/6/2013 (amir-sadoughi): Basic prototype working at https://github.com/asadoughi/neutron/compare/master...ovs_firewall_driver. Re-writing a few things and working on a coherent document to explain design decisions and technical issues.
- 12/13/2013 (amir-sadoughi): Discussed blueprint at this past Wednesday's ML2 meeting. Going to have a follow-up meeting on Monday <https://wiki.openstack.org/wiki/Meetings#Neutron_blueprint_ovs-firewall-driver_Meeting>
- 12/16/2013 (amir-sadoughi): Held blueprint IRC meeting http://eavesdrop.openstack.org/meetings/blueprint_ovs_firewall_driver/2013/blueprint_ovs_firewall_driver.2013-12-16-20.00.html Further discussion will continue on the openstack-dev mailing list due to lower than expected attendance.
- 12/17/2013 (amir-sadoughi) Sent e-mail to openstack-dev ML to discuss potential security group API addition <http://lists.openstack.org/pipermail/openstack-dev/2013-December/022518.html> <https://wiki.openstack.org/wiki/Neutron/blueprint_ovs-firewall-driver#Security_groups_extension_API_addition_discussion>
- 1/8/2014 (amir-sadoughi): Working on updating existing reviews 62129, 62130; Also, working on patch for "Firewall is invoked before local VLAN is assigned" described here: <https://wiki.openstack.org/wiki/Neutron/blueprint_ovs-firewall-driver#ovs_neutron_agent_related_changes>.
- 2/11/2014 (amir-sadoughi): Move the series goal off of icehouse given the OVS release containing the necessary feature for this blueprint (tcp_flags in OVS 2.1.x) won't ship by code proposal deadline of 2/18; it's more likely to ship in March. <http://openvswitch.org/pipermail/discuss/2014-February/012997.html>.
- 4/3/2014 (amir-sadoughi): Re-opened work for blueprint now that juno-1 is open for development and OVS 2.1.0 is available.
- 4/27/2014 (amir-sadoughi): All previously existing patches have been restored/rebased. Also, blueprint re-filed under neutron-specs repo (WIP) <https://review.openstack.org/#/c/89712/>. Working with vthapar to have working implementation uploaded to Gerrit by summit (next few weeks).
- 5/9/2014 (amir-sadoughi): Juno summit design session <http://junodesignsummit.sched.org/event/4205f2c4084e8a0c3bd8d420803ddf02#.U21rWq1dVus> this Thursday 11:50-12:30p. <https://etherpad.openstack.org/p/juno-neutron-modular-l2-agent>.
- 5/28/2014 (amir-sadoughi): blueprint under review in neutron-specs repo, implementation ongoing.

Gerrit topic: https://review.openstack.org/#q,topic:bp/ovs-firewall-driver,n,z

Addressed by: https://review.openstack.org/62129
    Added source-port-range-{min,max} to sec. groups

Addressed by: https://review.openstack.org/62130
    Added --source-port-range-min, --source-port-range-max

Addressed by: https://review.openstack.org/65557
    Assign local VLANs before port filters

Addressed by: https://review.openstack.org/67316
    Add Open vSwitch cookie support to ovs_neutron_agent

Addressed by: https://review.openstack.org/89712
    Open vSwitch-based Security Groups: OVS FirewallDriver

29-May (mestery): Moving to Juno-2, the BP isn't approved yet and even if it was, code landing in less than two weeks for this is unrealistic.
- 6/13/2014 (amir-sadoughi): Postponing blueprint implementation until K-cycle. I don't think it will be possible to implement and have merged all the new requirements in the Juno timeframe given the current pace. With the K-cycle, we will have access to connection tracking in OVS and the number of changes surrounding the blueprint to get this done will be much fewer and less controversial.