<div>
<br>
</div>
<div><div><br></div><div><span style="font-size: 14px;">During Juno, we introduced the enhanced security groups rpc (security_groups_info_for_devices) instead of (security_group_rules_for_devices), </span></div><div><span style="font-size: 14px;">and the ipset functionality to offload iptable chains a bit.</span></div><div><br></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">Here I propose to:</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">1) Remove the old security_group_info_for_devices, which was left to ease operators upgrade </span></div><div><span style="font-size: 14px;">path from I to J (allowing running old openvswitch agents as we upgrade)</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">Doing this we can cleanup </span><span style="font-size: 14px;">the current iptables firewall driver a bit from unused code paths.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">I suppose this would require a major RPC version bump.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">2) Remove the option to disable ipset (now it’s enabled by default and seems </span></div><div><span style="font-size: 14px;">to be working without problems), and make it an </span><span style="font-size: 14px;">standard way to handle “IP” groups </span></div><div><span style="font-size: 14px;">from the iptables perspective.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">Thoughts?,</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">Best regards,</span></div><div><span style="font-size: 14px;">Miguel Ángel Ajo</span></div><div><br></div></div>