<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1255">
</head>
<body dir="auto">
<div>Adam, you are correct to show why order matters in policies. </div>
<div>It is a good point to consider AND between rules. </div>
<div>If you really want to OR rules you can use different policies. </div>
<div><br>
</div>
<div>Stephen, the need for order contradicts using content modification with the same API since for modification you would really want to evaluate the whole list. <br>
<br>
Regards,
<div> -Sam.</div>
</div>
<div><br>
On 2 áîàé 2014, at 06:15, "Adam Harwell" <<a href="mailto:adam.harwell@RACKSPACE.COM">adam.harwell@RACKSPACE.COM</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
My thoughts are inline (in red, since I can't figure out how to get Outlook to properly format the email the way I want).</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family: Calibri; font-size: 11pt; color: black; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223); ">
<span style="font-weight:bold">From: </span>Stephen Balukoff <<a href="mailto:sbalukoff@bluebox.net">sbalukoff@bluebox.net</a>><br>
<span style="font-weight:bold">Reply-To: </span>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, May 1, 2014 6:52 PM<br>
<span style="font-weight:bold">To: </span>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [openstack-dev] [Neutron][LBaaS]L7 conent switching APIs<br>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<div>
<div>
<div dir="ltr"><font face="Calibri,sans-serif">Hi Samuel, </font>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
We talked a bit in chat about this, but I wanted to reiterate a few things here for the rest of the group. Comments in-line:</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote"><font face="Calibri,sans-serif">On Wed, Apr 30, 2014 at 6:10 AM, Samuel Bercovici
</font><span dir="ltr" style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); "><<a href="mailto:SamuelB@radware.com" target="_blank">SamuelB@radware.com</a>></span><font face="Calibri,sans-serif"> wrote:</font><br>
<blockquote class="gmail_quote" style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Hi,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">We have compared the API the is in the blue print to the one described in Stephen documents.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Follows the differences we have found:<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>1)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">L7PolicyVipAssoc is gone, this means that L7 policy reuse is not possible. I have added use cases 42 and 43 to show
where such reuse makes sense.</span></p>
</div>
</div>
</blockquote>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
Yep, my thoughts were that:</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<ul>
<li>The number of times L7 policies will actually get re-used is pretty minimal. And in the case of use cases 42 and 43, these can be accomplished by duplicating the L7policies and rules (with differing actions) for each type of connection.
</li><li>Fewer new objects is usually better and less confusing for the user. Having said this, a user advanced enough to use L7 features like this at all is likely going to be able to understand what the 'association' policy does.
</li></ul>
<div>The main counterpoint you shared with me was (if I remember correctly):</div>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<ul>
<li>For different load balancer vendors, it's much easier to code for the case where a specific entire feature set that isn't available (ie. L7 switching or content modification functionality) by making that entire feature set modular. A driver in this case
can simply return with a "feature not supported" error if anyone tries using L7 policies at all.
</li></ul>
</div>
<div><font face="Calibri,sans-serif"> </font><font color="#ff0000"><font face="Calibri,sans-serif">I agree that re-use should not be required for L7 policies, which should simplify things.</font></font></div>
<blockquote class="gmail_quote" style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>2)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">There is a mix between L7 content switching and L7 content modification, the API in the blue print only addresses L7
content switching. I think that we should separate the APIs from each other. I think that we should review/add use cases targeting L7 content modifications to the use cases document.</span></p>
</div>
</div>
</blockquote>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
Fair enough. There aren't many such use cases in there yet. </div>
<blockquote class="gmail_quote" style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><u></u><u></u></span></p>
<p style="text-indent:.5in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>a.<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">You can see this in L7Policy: APPEND_HEADER, DELETE_HEADER actions<u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>3)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">The action to redirect to a URL is missing in Stephen’s document. The 'redirect' action in Stephen’s document is equivalent
to the “pool” action in the blue print/code.</span></p>
</div>
</div>
</blockquote>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
Yep it is. But this is actually pretty easily added. We would just add the 'action' of "URL_REDIRECT" and the action_argument would then be the URL to which to redirect.</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<blockquote class="gmail_quote" style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>4)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">All the objects have their parent id as an optional argument (L7Rule.l7_policy_id, L7Policy.listener_id), is this a
mistake?</span></p>
</div>
</div>
</blockquote>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
That's actually not a mistake-- a user can create "orphaned" rules in this model. However, the point was raised earlier by Brandon that it may make sense for members to be child objects of a specific pool since they can't be shared. If we do this for members,
it also makes sense to do it for L7Rules since they also can't be shared. At which point the API for manipulating L7Rules would shift to:</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
/l7_policy/{policy_uuid}/l7_rules</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
And in this case, the parent L7Policy ID would be implicit.</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
(I'm all for this change, by the way.) </div>
</div>
</div>
</div>
</div>
</div>
</span>
<div><br>
</div>
<div><font color="#ff0000">Sounds good to me too!</font></div>
<span id="OLK_SRC_BODY_SECTION">
<div>
<div>
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><u></u><u></u></span></p>
<p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>5)<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">There is also the additional behavior based on L3 information (matching the client/source IP to a subnet). This is
addressed by L7Rule.type with a value of 'CLIENT_IP' and L7Rule.compare_type with a value of 'SUBNET'. I think that using Layer 3 type information should not be part of L7 content switching as the use cases I am aware of, might require more than just selecting
a different pool (ex: user with ip from internet browsing to an https based application, might need to be secured using 2K SSL keys while internal users could use weaker keys)</span></p>
</div>
</div>
</blockquote>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
While it's true that having a way to manipulate this without being part of an HTTP or unwrapped HTTPS session is also useful-- it's still useful to be able to create L7 rules which also make decisions based on subnet. (Notice also with TLS_SNI_Policies there
is a 'hostname' attribute, and also with L7 rules there is a 'hostname' type of rule? Again, useful to have in two places, eh!)</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<span style="color: rgb(31, 73, 125); font-family: Calibri, sans-serif; font-size: 11pt; "> </span></div>
<blockquote class="gmail_quote" style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I would like to state that although the WIKI describes the solution from a high level it is not totally in sync with the actual code.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">The key thing which is missing is that, L7 Policies in a specific listener/vip are ordered (ordered list) and are processed in order so that the
1<sup>st</sup> policy that has a match will be activated and traversal of the L7 policy list is topped as the processing is final (ex: redirect, pool, reject).
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">This in effect means that L7 Policy form an ‘or’ condition between them.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">L7 Policies have an ordered list of L7 Rules, L7 Rules are processed by this order and also form an ‘or’ condition.</span></p>
</div>
</div>
</blockquote>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
Agreed, and I think my API works the same way. I will say though: I did remove the 'order' attribute from L7Rules because if all the conditions that make up a policy are OR'ed together, then order no longer matters. If we want to define a more feature-rich
DSL here, then rule order would matter. (Note that the order in which entire L7Policies appear still matters. The first one to match wins in the case of a 'redirect' match, eh.)</div>
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
</div>
</div>
</div>
</div>
</div>
</div>
</span>
<div><font color="#ff0000">Stephen, the way I understood your API proposal, I thought you could essentially combine L7Rules in an L7Policy, and have multiple L7Policies, implying that the L7Rules would use AND style combination, while the L7Policies themselves
would use OR combination (I think I said that right, almost seems like a tongue-twister while I'm running on pure caffeine). So, if I said:</font></div>
<div><span style="color: rgb(255, 0, 0); "> * The policy { rules: [ rule1: match path REGEX ".*index.*", rule2: match path REGEX "hello/.*" ] } directs to Pool A</span></div>
<div><font color="#ff0000"> * The policy { rules: [ rule1: match hostname EQ "<a href="http://mysite.com">mysite.com</a>" ] } directs to Pool B</font></div>
<div><font color="#ff0000">then order would matter for the policies themselves. In this case, if they ran in the order I listed, it would match "<a href="http://mysite.com/hello/index.htm">mysite.com/hello/index.htm</a>" and direct it to Pool A, while "<a href="http://mysite.com/hello/nope.htm">mysite.com/hello/nope.htm</a>"
would not match BOTH rules in the first policy, and would be caught by the second policy, directing it to Pool B. If I had wanted the first policy to use OR logic, I would have just specified two separate policies both pointing to Pool A:</font></div>
<div>
<div><span style="color: rgb(255, 0, 0); "> * The policy { rules: [ rule1: match path REGEX ".*index.*" ] } directs to Pool A</span></div>
<div><span style="color: rgb(255, 0, 0); "> * The policy { rules: [ rule1: match path REGEX "hello/.*" ] } directs to Pool A</span></div>
<div><font color="#ff0000"> * The policy { rules: [ rule1: match hostname EQ "<a href="http://mysite.com">mysite.com</a>" ] } directs to Pool B</font></div>
</div>
<div><font color="#ff0000">In that case, it would match </font><span style="color: rgb(255, 0, 0); ">"<a href="http://mysite.com/hello/nope.htm">mysite.com/hello/nope.htm</a>" on the second policy, still directing to Pool A.</span></div>
<div><font color="#ff0000">In both cases, "<a href="http://mysite.com/hi/">mysite.com/hi/</a>" would only be caught by the last policy, directing to Pool B.</font></div>
<div><font color="#ff0000">Maybe I was making some crazy jumps of logic, and that's not how you intended it? That said, even if that wasn't your intention, could it work that way? It seems like that allows a decent amount of options… :)</font></div>
<div><font color="#ff0000"><br>
</font></div>
<div><font color="#ff0000"> --Adam</font></div>
<span id="OLK_SRC_BODY_SECTION">
<div>
<div>
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> -Avishay, Evgeny and Sam<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><u></u> <u></u></span></p>
<p class="MsoNormal"><br>
</p>
</div>
</div>
</blockquote>
</div>
<br clear="all">
<div style="font-family: Calibri, sans-serif; font-size: 14px; color: rgb(0, 0, 0); ">
<br>
</div>
<font face="Calibri,sans-serif">-- </font><br>
<font face="Calibri,sans-serif"><span></span>Stephen Balukoff </font><br>
<font face="Calibri,sans-serif">Blue Box Group, LLC </font><br>
<font face="Calibri,sans-serif">(800)613-4305 x807 </font></div>
</div>
</div>
</div>
</span></div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>OpenStack-dev mailing list</span><br>
<span><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a></span><br>
<span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></span><br>
</div>
</blockquote>
</body>
</html>