neutron

neutron fwaas v2 log function does not work

Bug #1833156 reported by zhanghao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

openstack version:rocky
operating system:centos7
libnetfilter_log-1.0.1-7.el7.x86_64

neutron.conf
[DEFAULT]
service_plugins = router,firewall_v2,log
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default

fwaas_driver.ini
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True

l3_agent.ini
[agent]
extensions = fwaas_v2,fwaas_v2_log
[network_log]
rate_limit = 100
burst_limit = 25
local_output_log_base = /var/log/neutron/test_l3.log

Topology
vm1 172.16.10.14
vm2 172.16.20.12
r1 172.16.10.1
   172.16.20.1

#openstack firewall group rule show deny_ping
+------------------------+-------------------------------------------+
| Field | Value |
+------------------------+-------------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | 172.16.20.12 |
| Destination Port | None |
| Enabled | True |
| ID | a3231ec7-f0a0-48cd-b063-2bf0348ee0c5 |
| IP Version | 4 |
| Name | deny_ping |
| Project | f8c73e555a294972964781606efb5291 |
| Protocol | icmp |
| Shared | False |
| Source IP Address | 172.16.10.14 |
| Source Port | None |
| firewall_policy_id | [u'cd9b4031-7d8c-4721-99aa-dedac7e1317f'] |
| project_id | f8c73e555a294972964781606efb5291 |
+------------------------+-------------------------------------------+

#openstack network log show my-log
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| Description | |
| Enabled | True |
| Event | ALL |
| ID | 009cdc65-360d-46c1-9366-360c8b094351 |
| Name | my-log |
| Project | f8c73e555a294972964781606efb5291 |
| Resource | 087a286e-bb7b-4583-bac4-0a7828c88e91 |
| Target | None |
| Type | firewall_group |
| created_at | 2019-06-13T07:46:13Z |
| revision_number | 0 |
| tenant_id | f8c73e555a294972964781606efb5291 |
| updated_at | 2019-06-13T07:46:13Z |
+-----------------+--------------------------------------+

#ip netns exec qrouter-38b02e81-bb69-48aa-9ca1-23b371af0b7f iptables -nvL
Chain neutron-l3-agent-dropped (5 references)
 pkts bytes target prot opt in out source destination
   40 3360 NFLOG all -- qr-5feaec8e-8b * 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix 12876978778924028228
    0 0 NFLOG all -- * qr-5feaec8e-8b 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix 12876978778924028228
   40 3360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

--------------------------
Nflog has obtained the packet,but log file has no record information.

See original description
Tags: fwaas
zhanghao (zhanghao2)
description: updated
YAMAMOTO Takashi (yamamoto)
tags: added: fwaas
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.