neutron fwaas v2 log function does not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
openstack version:rocky
operating system:centos7
libnetfilter_
neutron.conf
[DEFAULT]
service_plugins = router,
[service_providers]
service_provider = FIREWALL_
fwaas_driver.ini
[fwaas]
agent_version = v2
driver = neutron_
enabled = True
l3_agent.ini
[agent]
extensions = fwaas_v2,
[network_log]
rate_limit = 100
burst_limit = 25
local_output_
Topology
vm1 172.16.10.14
vm2 172.16.20.12
r1 172.16.10.1
172.16.20.1
#openstack firewall group rule show deny_ping
+------
| Field | Value |
+------
| Action | deny |
| Description | |
| Destination IP Address | 172.16.20.12 |
| Destination Port | None |
| Enabled | True |
| ID | a3231ec7-
| IP Version | 4 |
| Name | deny_ping |
| Project | f8c73e555a29497
| Protocol | icmp |
| Shared | False |
| Source IP Address | 172.16.10.14 |
| Source Port | None |
| firewall_policy_id | [u'cd9b4031-
| project_id | f8c73e555a29497
+------
#openstack network log show my-log
+------
| Field | Value |
+------
| Description | |
| Enabled | True |
| Event | ALL |
| ID | 009cdc65-
| Name | my-log |
| Project | f8c73e555a29497
| Resource | 087a286e-
| Target | None |
| Type | firewall_group |
| created_at | 2019-06-
| revision_number | 0 |
| tenant_id | f8c73e555a29497
| updated_at | 2019-06-
+------
#ip netns exec qrouter-
Chain neutron-
pkts bytes target prot opt in out source destination
40 3360 NFLOG all -- qr-5feaec8e-8b * 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix 128769787789240
0 0 NFLOG all -- * qr-5feaec8e-8b 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix 128769787789240
40 3360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
-------
Nflog has obtained the packet,but log file has no record information.