Comment 0 for bug 1831972

In order to support tracing of network traffic across an OpenStack deployment, logging of traffic traversing virtual routers on neutron-gateway/neutron-openvswitch units is required to have a complete picture of source -> firewall/router -> target network flows.

The FWaaS v2 driver supports a _log extension that is configured in the same way as the Neutron Security Group Log driver (which the charms already support).

Please add support for fwaas_v2_log for OpenStack Queens or later.

This is somewhat complicated by the fact that fwaas_v2 is only available in the charms from stein onward; a new configuration option needs to be added to the neutron-api charm to support configuration of the version of the fwaas driver is to be used, along with a new configuration option to enable the log extension.

  fwaas-version: 1|2
  enable-fwaas-v2-logggin: true|false

No migration path exists before stein from v1/v2 so if fwaas is already in use in Queens and Rocky deployments, the log feature will not be supportable.