neutron

[OVN] Security group logging only logs half of the connection

Bug #2003706 reported by Elvira García Ruiz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Elvira García Ruiz

Bug Description

With the OVN security group logging feature enabled there is only one direction (from client to server) packets are actually logged. It happens because there is a single OpenFlow rule created for the returned traffic and it has no logging action

Steps:
- Create server associated to security group.
- Add a network log object that logs accepted traffic from that security group.
- Check logs in ovn-controller.log

Expected results:
- We get the packets incoming and outcoming from the server.

Actual results:
- We only see incoming packets.

More info at: https://bugzilla.redhat.com/show_bug.cgi?id=2152877

See original description
Elvira García Ruiz (elviragr)
description: updated
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: New → In Progress
Oleg Bondarev (obondarev)
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/872303

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/872304

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/872305

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/872306

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/871096
Committed: https://opendev.org/openstack/neutron/commit/f7e31b4c0533687622f8f2644c802574e31536f7
Submitter: "Zuul (22348)"
Branch: master

commit f7e31b4c0533687622f8f2644c802574e31536f7
Author: Elvira García <email address hidden>
Date: Thu Jan 19 14:48:23 2023 +0100

    [OVN] Allow logging all traffic related to an ACL

    Before this patch, we would only get logged the client to server side of
    the communication. The OVN allow-related ACL option was implemented [0]
    so as to be able to log also the packets that are going from server to
    client. This patch implements the addition of that feature in Neutron
    and needs OVN version 22.03 or updated 21.12.

    [0] https://patchwork<email address hidden>/

    Closes-Bug: #2003706
    Change-Id: I72d061c333f53e07f6feedec032e2c0b06a61248
    Signed-off-by: Elvira García <email address hidden>

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/872305
Committed: https://opendev.org/openstack/neutron/commit/7d12e285c009d2ca5a5a97d0096468081be68cb3
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 7d12e285c009d2ca5a5a97d0096468081be68cb3
Author: Elvira García <email address hidden>
Date: Thu Jan 19 14:48:23 2023 +0100

    [OVN] Allow logging all traffic related to an ACL

    Before this patch, we would only get logged the client to server side of
    the communication. The OVN allow-related ACL option was implemented [0]
    so as to be able to log also the packets that are going from server to
    client. This patch implements the addition of that feature in Neutron
    and needs OVN version 22.03 or updated 21.12.

    [0] https://patchwork<email address hidden>/

    Closes-Bug: #2003706
    Change-Id: I72d061c333f53e07f6feedec032e2c0b06a61248
    Signed-off-by: Elvira García <email address hidden>
    (cherry picked from commit f7e31b4c0533687622f8f2644c802574e31536f7)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/872304
Committed: https://opendev.org/openstack/neutron/commit/a70cfffef35f4ad90754b6a9c73766fc3584b2d2
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit a70cfffef35f4ad90754b6a9c73766fc3584b2d2
Author: Elvira García <email address hidden>
Date: Thu Jan 19 14:48:23 2023 +0100

    [OVN] Allow logging all traffic related to an ACL

    Before this patch, we would only get logged the client to server side of
    the communication. The OVN allow-related ACL option was implemented [0]
    so as to be able to log also the packets that are going from server to
    client. This patch implements the addition of that feature in Neutron
    and needs OVN version 22.03 or updated 21.12.

    [0] https://patchwork<email address hidden>/

    Closes-Bug: #2003706
    Change-Id: I72d061c333f53e07f6feedec032e2c0b06a61248
    Signed-off-by: Elvira García <email address hidden>
    (cherry picked from commit f7e31b4c0533687622f8f2644c802574e31536f7)

tags: added: in-stable-yoga
tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/872306
Committed: https://opendev.org/openstack/neutron/commit/e10476d8419a0eeb3c0585c45920521c22303bc4
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit e10476d8419a0eeb3c0585c45920521c22303bc4
Author: Elvira García <email address hidden>
Date: Thu Jan 19 14:48:23 2023 +0100

    [OVN] Allow logging all traffic related to an ACL

    Before this patch, we would only get logged the client to server side of
    the communication. The OVN allow-related ACL option was implemented [0]
    so as to be able to log also the packets that are going from server to
    client. This patch implements the addition of that feature in Neutron
    and needs OVN version 22.03 or updated 21.12.

    [0] https://patchwork<email address hidden>/

    Closes-Bug: #2003706
    Change-Id: I72d061c333f53e07f6feedec032e2c0b06a61248
    Signed-off-by: Elvira García <email address hidden>
    (cherry picked from commit f7e31b4c0533687622f8f2644c802574e31536f7)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/872303
Committed: https://opendev.org/openstack/neutron/commit/d0d014c598aec28b3e0296bdb85f4e96474286db
Submitter: "Zuul (22348)"
Branch: stable/zed

commit d0d014c598aec28b3e0296bdb85f4e96474286db
Author: Elvira García <email address hidden>
Date: Thu Jan 19 14:48:23 2023 +0100

    [OVN] Allow logging all traffic related to an ACL

    Before this patch, we would only get logged the client to server side of
    the communication. The OVN allow-related ACL option was implemented [0]
    so as to be able to log also the packets that are going from server to
    client. This patch implements the addition of that feature in Neutron
    and needs OVN version 22.03 or updated 21.12.

    [0] https://patchwork<email address hidden>/

    Closes-Bug: #2003706
    Change-Id: I72d061c333f53e07f6feedec032e2c0b06a61248
    Signed-off-by: Elvira García <email address hidden>
    (cherry picked from commit f7e31b4c0533687622f8f2644c802574e31536f7)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.0.0rc1

This issue was fixed in the openstack/neutron 22.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.6.0

This issue was fixed in the openstack/neutron 19.6.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.3.0

This issue was fixed in the openstack/neutron 20.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.1.0

This issue was fixed in the openstack/neutron 21.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron wallaby-eom

This issue was fixed in the openstack/neutron wallaby-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.