neutron

  1. Bug #1788759
  2. Activity log

Activity log for bug #1788759

Date Who What changed Old value New value Message
2018-08-24 03:39:20 Vu Cong Tuan bug added bug
2018-08-24 04:15:15 LongKB neutron: status New Confirmed
2018-08-26 00:18:08 Hongbin Lu tags ovs-fw
2018-08-27 02:19:40 Vu Cong Tuan summary Logging does not update NFLOGs when changing port state to UP Firewall Logging does not work when changing port state to UP after restarting q-l3.service
2018-08-27 02:27:53 Vu Cong Tuan description Steps to reproduce this bug: 1. Create log 2. Update port 'state' into 'DOWN' openstack port set <port_id> --disable => NFLOGs are not removed, this is accepted 3. Restart L3 => NFLOGs are removed 4. Changing port status from DOWN to UP Expected result: NFLOGs should be recovered Actual result: NFLOGs are NOT recovered In addition, without step 3, everything works as expected. Steps to reproduce this bug: #1 Create network net0 with subnet subnet0 openstack network create --share net0 openstack subnet create subnet0 --ip-version 4 --gateway 10.10.0.1 --network net0 --subnet-range 10.10.0.0/24 #2 Create router router0 and attach subnet0 to router0 openstack router create router0 openstack router add subnet router0 subnet0 #3 Create fwg1 with default ingress, egress firewall group policy from admin project project_id=$(openstack project show admin | grep ' id' | awk '{print$4}') i_fwp_id=$(openstack firewall group policy list --long | grep ingress | grep $project_id | awk '{print$2}') e_fwp_id=$(openstack firewall group policy list --long | grep egress | grep $project_id | awk '{print$2}') #4 Create and attach fwg1 to internal router port that attaches to net0 net0_port=$(openstack port list | grep -e "'10.10.0.1'" | awk '{print$2}') openstack firewall group create --name fwg1 --port $net0_port --ingress-firewall-policy $i_fwp_id --egress-firewall-policy $e_fwp_id #5 Create a logging resource for fwg1 openstack network log create --resource-type firewall_group --resource fwg1 --enable --event ALL Log_all_defined_resource # Check iptables of netns of router0 => NFLOGs are added (OK) http://paste.openstack.org/show/728805/ #6 Update net0_port 'state' into 'DOWN' openstack port set $net0_port --disable # Check iptables of netns of router0 => NFLOGs stay the same (are not removed) => this is accepted #7 Restart q-l3.service sudo systemctl restart devstack@q-l3.service # Check iptables of netns of router0 => NFLOGs are removed http://paste.openstack.org/show/728806/ #8 Changing net0_port status from 'DOWN' to 'UP' openstack port set $net0_port --enable # Check iptables of netns of router0 Expected result: NFLOGs should be recovered like http://paste.openstack.org/show/728805/ Actual result: NFLOGs are NOT recovered (http://paste.openstack.org/show/728806/) In addition, without step "#7 Restart q-l3.service", everything works as expected.
2018-08-27 19:22:47 Hongbin Lu neutron: importance Undecided Medium
2018-09-07 06:30:49 OpenStack Infra neutron: status Confirmed In Progress
2018-09-07 06:30:49 OpenStack Infra neutron: assignee LongKB (longkb.fvl)
2018-10-11 15:12:37 OpenStack Infra neutron: assignee LongKB (longkb.fvl) Yushiro FURUKAWA (y-furukawa-2)
2018-10-14 06:16:12 OpenStack Infra neutron: status In Progress Fix Released
2019-04-09 23:46:15 OpenStack Infra tags ovs-fw in-stable-rocky ovs-fw