neutron

Firewall Logging does not work when changing port state to UP after restarting q-l3.service

Bug #1788759 reported by Vu Cong Tuan on 2018-08-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Yushiro FURUKAWA

Bug Description

Steps to reproduce this bug:
#1 Create network net0 with subnet subnet0
openstack network create --share net0
openstack subnet create subnet0 --ip-version 4 --gateway 10.10.0.1 --network net0 --subnet-range 10.10.0.0/24

#2 Create router router0 and attach subnet0 to router0
openstack router create router0
openstack router add subnet router0 subnet0

#3 Create fwg1 with default ingress, egress firewall group policy from admin project
project_id=$(openstack project show admin | grep ' id' | awk '{print$4}')
i_fwp_id=$(openstack firewall group policy list --long | grep ingress | grep $project_id | awk '{print$2}')
e_fwp_id=$(openstack firewall group policy list --long | grep egress | grep $project_id | awk '{print$2}')

#4 Create and attach fwg1 to internal router port that attaches to net0
net0_port=$(openstack port list | grep -e "'10.10.0.1'" | awk '{print$2}')
openstack firewall group create --name fwg1 --port $net0_port --ingress-firewall-policy $i_fwp_id --egress-firewall-policy $e_fwp_id

#5 Create a logging resource for fwg1
openstack network log create --resource-type firewall_group --resource fwg1 --enable --event ALL Log_all_defined_resource
# Check iptables of netns of router0 => NFLOGs are added (OK)
http://paste.openstack.org/show/728805/

#6 Update net0_port 'state' into 'DOWN'
openstack port set $net0_port --disable
# Check iptables of netns of router0 => NFLOGs stay the same (are not removed)
=> this is accepted

#7 Restart q-l3.service
sudo systemctl restart <email address hidden>
# Check iptables of netns of router0 => NFLOGs are removed
http://paste.openstack.org/show/728806/

#8 Changing net0_port status from 'DOWN' to 'UP'
openstack port set $net0_port --enable
# Check iptables of netns of router0

Expected result: NFLOGs should be recovered like http://paste.openstack.org/show/728805/
Actual result: NFLOGs are NOT recovered (http://paste.openstack.org/show/728806/)

In addition, without step "#7 Restart q-l3.service", everything works as expected.

See original description

Tags:

Revision history for this message

LongKB (longkb.fvl) wrote on 2018-08-24:

Thanks for procedure. I confirmed this is a new bug in FW Logging.

Changed in neutron:
status:	New → Confirmed

Revision history for this message

Yushiro FURUKAWA (y-furukawa-2) wrote on 2018-08-24:

Did you check the latest devstack? In addition, it is also occurred on stable/rocky ??

Revision history for this message

Vu Cong Tuan (tuan.vu) wrote on 2018-08-24:

Hi Furukawa-san,
Yes, I have checked with the latest devstack.
I also would like to confirm that it occurs on stable/rocky as well.

Hongbin Lu (hongbin.lu) on 2018-08-26

tags:

added: ovs-fw

Vu Cong Tuan (tuan.vu) on 2018-08-27

summary:

- Logging does not update NFLOGs when changing port state to UP
+ Firewall Logging does not work when changing port state to UP after
+ restarting q-l3.service

Vu Cong Tuan (tuan.vu) on 2018-08-27

description:

updated

Revision history for this message

Vu Cong Tuan (tuan.vu) wrote on 2018-08-27:

Hi,
Bug Description has just been updated for more details.
If there's any concern for "steps to reproduce this bug", please feel free to let me know.
Thank you very much.

Hongbin Lu (hongbin.lu) on 2018-08-27

Changed in neutron:
importance:	Undecided → Medium

OpenStack Infra (hudson-openstack) on 2018-09-07

Changed in neutron:
assignee:	nobody → LongKB (longkb.fvl)
status:	Confirmed → In Progress

OpenStack Infra (hudson-openstack) on 2018-10-11

Changed in neutron:
assignee:	LongKB (longkb.fvl) → Yushiro FURUKAWA (y-furukawa-2)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-14: Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/600660
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=48b82f7c925d1fdbe0a5b69f99999ecd6ca731c5
Submitter: Zuul
Branch: master

commit 48b82f7c925d1fdbe0a5b69f99999ecd6ca731c5
Author: Kim Bao Long <email address hidden>
Date: Fri Sep 7 12:30:25 2018 +0700

Subscribe Neutron port update events for FWG Logging handling

    Currently, FWaaS L3 logging only sync with firewall group related
    events, it does not care about Neutron port status update as reported
    in [1]. This patch aims to subscribe Neutron callback events that will
    trigger FWG Logging driver for further handling.

[1] https://bugs.launchpad.net/neutron/+bug/1788759

    Change-Id: If2754040dad0bae6c224ceaec8b7e66436a2195d
    Co-Authored-By: Nguyen Phuong An <email address hidden>
    Closes-Bug: #1788759

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-18: Fix proposed to neutron-fwaas (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/611473

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-26: Fix included in openstack/neutron-fwaas 14.0.0.0b1

This issue was fixed in the openstack/neutron-fwaas 14.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-09: Fix merged to neutron-fwaas (stable/rocky)

Reviewed: https://review.openstack.org/611473
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=5b31f2320bddc556747a5f54ef6460689eeeebac
Submitter: Zuul
Branch: stable/rocky

commit 5b31f2320bddc556747a5f54ef6460689eeeebac
Author: Kim Bao Long <email address hidden>
Date: Fri Sep 7 12:30:25 2018 +0700

Subscribe Neutron port update events for FWG Logging handling

[1] https://bugs.launchpad.net/neutron/+bug/1788759

    Change-Id: If2754040dad0bae6c224ceaec8b7e66436a2195d
    Co-Authored-By: Nguyen Phuong An <email address hidden>
    Closes-Bug: #1788759
    (cherry picked from commit 48b82f7c925d1fdbe0a5b69f99999ecd6ca731c5)