[FW Logging] NFLOG rules still remains after deleting log resource

Bug #1786746 reported by LongKB on 2018-08-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
LongKB

Bug Description

I have tested a logging feature for firewall_group in stable/rocky [1], and found a bug. Please follow the following testcase to reproduce this bug:

Environment:
- Devstack stable/rocky
- Install devstack with local.conf: http://paste.openstack.org/show/727916/
- Topology: Set up topolocy with the following script http://paste.openstack.org/show/727918/

Testcase
--------
- Create log resource:
  openstack network log create --resource-type firewall_group --event accept testAccept

- Show iptables config:
  router_id=$(openstack router list | grep router0 | awk '{print$2}')
  router_ns='qrouter-'$router_id
  sudo ip netns exec $router_ns iptables -nvL

- The results showed that NFLOG already added correctly into iptables: http://paste.openstack.org/show/727920/

Bug triggering
--------------
Delete log-resource with: openstack network log delete testAccept
Error logs: http://paste.openstack.org/show/727919/
=> Expectation: NFLOGs for ACCEPT disappears
=> Observed: NFLOGs for ACCEPT still remains => Bug

References:
[1] https://docs.openstack.org/neutron/latest/admin/config-logging.html#service-workflow-for-operator

LongKB (longkb.fvl) on 2018-08-13
summary: - [FW Logging] NFLOG rules still remains after delete log resource
+ [FW Logging] NFLOG rules still remains after deleting log resource
Changed in neutron:
assignee: nobody → Kim Bao Long (longkb.fvl)
status: New → In Progress
Pawel Suder (pasuder) wrote :

Hello Kim, thank you for your information.

I would like to ask you to provide extra information:

- which services/plugins did you have enable on your Devstack?
- which commands did you execute to reproduce the issue?
- which commands did you execute to confirm the issue?
- could you provide logs from neutron services, please?

Thank you! Paweł

LongKB (longkb.fvl) wrote :

Hi Suder,
Thanks for your comments. I have already added the detail about this bug. Please check the Bug Description for more detail.
Thank you very much

description: updated
LongKB (longkb.fvl) on 2018-08-14
description: updated
Pawel Suder (pasuder) wrote :

Great, thank you Kim!

Reviewed: https://review.openstack.org/590682
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=6ccdd943a3cec92e559dd842407382a3dca5f484
Submitter: Zuul
Branch: master

commit 6ccdd943a3cec92e559dd842407382a3dca5f484
Author: Kim Bao Long <email address hidden>
Date: Fri Aug 10 14:41:54 2018 +0700

    Remove remaining NFLOG rules on deleting log resource

    Currently, NFLOG rules are still remaining after deletion of log
    resources from "ACCEPT" or "DROP" events. This patch aims to remove
    these rules. In addition, it also cleans up unused iptables manager per
    port to avoid memory consumption of self.ipt_mgr_list in [1]

    [1] https://review.openstack.org/#/c/553738/

    Closes-Bug: #1786746
    Change-Id: Id8db35c9e11c11f186f15565fcbc2cfa67d9ebd4
    Co-Authored-By: Nguyen Phuong An <email address hidden>

Changed in neutron:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/593990
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=7567c42e99b298201b30593699d1e180e5bfa759
Submitter: Zuul
Branch: stable/rocky

commit 7567c42e99b298201b30593699d1e180e5bfa759
Author: Kim Bao Long <email address hidden>
Date: Fri Aug 10 14:41:54 2018 +0700

    Remove remaining NFLOG rules on deleting log resource

    Currently, NFLOG rules are still remaining after deletion of log
    resources from "ACCEPT" or "DROP" events. This patch aims to remove
    these rules. In addition, it also cleans up unused iptables manager per
    port to avoid memory consumption of self.ipt_mgr_list in [1]

    [1] https://review.openstack.org/#/c/553738/

    Closes-Bug: #1786746
    Change-Id: Id8db35c9e11c11f186f15565fcbc2cfa67d9ebd4
    Co-Authored-By: Nguyen Phuong An <email address hidden>
    (Cherry-picked from commit 6ccdd943a3cec92e559dd842407382a3dca5f484)

tags: added: in-stable-rocky

This issue was fixed in the openstack/neutron-fwaas 13.0.0.0rc2 release candidate.

This issue was fixed in the openstack/neutron-fwaas 14.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers