 Hello, everyone. Thank you for coming. My name is Gao Xunhuang. I'm currently working for Fujitsu Vietnam. Today I would like to present a topic, Adopt Network Solutions to Firewall Air Service. With this solution, we can save up to 98% of updating Firewall. Today, agenda will have the four items, background, solution, performance, step, and further work. Let's start with background. Inisial, we just start trying to fix a bug that Firewall Air Service let connection open if delete the loud rule. For more detail about this bug fix, you can refer online part number so on the screen. The bug description that establish connection are still alive after deleting the rule. For more easy to understand, at some that we have a topology as you can see on the screen with the Firewall rule applied on router. When someone want to access to the VM by NIH connection, we just easy to ask allow NIH rule to the Firewall and then they can access to the VM. But after that if we don't want to allow the disconnection, we just delete this Firewall rule. And the expectation is that the LA8 connection will be delete also. But unfortunately, the disconnection I mean the LA8 connection still assist. Did the problem. So we disinvestigate to find out the code why this LA8 connection still assist. And we figure out that when allow LA8 rule but the contract and G still have not delete. So we fix this problem by deleting the contract and G when Firewall is update. For more detail about this bug fix you can refer to various code review number so on the screen. So what is the contract? Contract is stand for connection tracking. Connection tracking is a mechanism to track network connection. IP table keep connection information like address, support, detonation address, detonation port, protocol status, and so on for stateful package filtering. We can easily to use the contract command to join status of the contract and G in case of private example when we delete allow LA8 rule we have to delete corresponding contract and G by using the contract command. But after fix this problem the new problem come up that the updating Firewall become very slow. The problem come from only contract command cause performance degradation. You can see that the high level of Firewall service in IP table driver when operator send update Firewall instruction and it will call to delete function to start delay to start delay the contract and G by using the contract command. This call the performance degradation. So the next question is how much performance degradation? Of course we did the test about the time consuming with several test case. In case of 100 Firewall rule include in Firewall we think that is okay but in case of Firewall include 1,000 rule we will need a little bit patient but in case of 10,000 rule we really need patient when the Firewall update. We can see that the time lightenly grows with the number of rule and of course the 458 seconds to update Firewall with 10,000 rule and we need a nightmare. So we continue start to investigate to find out a solution to overcome this situation. So fortunately we find out a solution new solution without calling contract command. For more detail about this solution because I do not have enough time to explain in detail if you want you can refer to but I want to highlight what is the difference between new implementation and current implementation. With current implementation if we want to update Firewall we include 1,000 Firewall rule we have to release corresponding 1,000 contract entry. It means that we have to call 1,000 contract command 1,000 time contract command but with the new solution when we want to update 1,000 Firewall rule we just use the deadline library to interact with the next future contract and it means that no contract command call. This is the key point this is the key different make the new solution much more faster compared with current implementation and so the question is the next question is how much performance improvement for the new network solution compared with current implementation we need benchmark and test for the boss current implementation and new network implementation and you can see that performance improvement up to 98% in case you can see at number 9 update Firewall with 10,000 rule the time consuming for the one second did another view of comparison but because I do not have time to show the demo in detail but at least I want to show you how to conflict to use the network to use the network solution at some data we have Firewall service enabled and with the latest support of Firewall service repository and if you want to change if you want to use the new implementation you can easily to update you can easily to we support a new option contract driver option with this option we can easily conflict to switch to use the current implementation or new implementation so the contract contract tune will be you but if you want to use the new network solution you just replace from the contract to network contract option and then just restart the service just restart the new tune related service and then you can enjoy and verify what the result so on so on the presentation here if we want to to do more tech care more you just easily to make the configuration so the last item I want to present here about the first work currently this solution already available on pie master branch cycle and it is going to be backpotting to the Okata stable branch and it under discussion with the stable team and now we are trying to adopt this solution to security group in Neutron and it getting a good feedback from Neutron core reviewer and also Neutron PTL that he encourage us to isolate the project to adopt the solution to the security group in pie cycle after that we will continue with the firewall as with v2 because as you know that currently the firewall as with v2 under construction and they plan to really the firewall v2 in pie after that we will continue and this is the today presentation any question you know thank you very much for your time