neutron

[OVN] Enabling and disabling networking log objects doesn't work as expected

Bug #1996780 reported by Elvira García Ruiz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Elvira García Ruiz

Bug Description

Steps to reproduce:

1. I create a sg logging object called accept_sg1, then drop_sg1:
Both work. (Success)

2. I disable accept_sg1:
Accepted packets are not logged (Success)

3. And then I create all_sg1:
We see the same behavior as before. Accept packets are not logged, but dropped are. (Failure)
The core reason for this is that both ACCEPT and DROP ACLs already had a different log group assigned.

+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| ID | Enabled | Name | Type | Summary |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| 0918edeb-e1b4-4688-945a-a0ec365c9686 | True | all_sg1 | security_group | Event: ALL, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| 1048b03a-fc2d-432e-8bd6-b05ad75e53f5 | False | accept_sg1 | security_group | Event: ACCEPT, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| cfb09a6c-753b-4325-be51-cc3132c53be1 | True | drop_sg1 | security_group | Event: DROP, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+

4. If I delete accept_sg1, all_sg1 will now be "in charge" of logging accepted packets. Dropped ones will still be logged

+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| ID | Enabled | Name | Type | Summary |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| 0918edeb-e1b4-4688-945a-a0ec365c9686 | True | all_sg1 | security_group | Event: ALL, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| cfb09a6c-753b-4325-be51-cc3132c53be1 | True | drop_sg1 | security_group | Event: DROP, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+

5. If I now disable drop_sg1, I will only capture accepted packets even if the other object enabled is all_sg1

If instead of disabling and enabling the log objects for a security group, you use create and delete, the feature will work.

Actual results:
Only the first log object associated to a resource is taken into account. If you disable it, you won't see any traffic of that kind logged even if there is another log object with log enabled that allowed that kind of logging.

Expected results:

I think we could allow enable-disable to work correctly in this situation.

Extracted from: https://bugzilla.redhat.com/show_bug.cgi?id=2136860

OpenStack Infra (hudson-openstack)
Changed in neutron:
status: New → In Progress
Bernard Cafarelli (bcafarel)
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/864152
Committed: https://opendev.org/openstack/neutron/commit/f629b77d3c821717333eb740311a33a7a45b0e8d
Submitter: "Zuul (22348)"
Branch: master

commit f629b77d3c821717333eb740311a33a7a45b0e8d
Author: Elvira García <email address hidden>
Date: Thu Nov 10 00:47:53 2022 +0100

    Fix behaviour of enable/disable in OVN network log

    Previously, only the first log object created that associated to a
    certain ACL would be able to make changes to the True/False property of
    that ACL. This patch makes the driver to take in consideration each log
    object created to enable or disable an ACL logging status. A functional
    test is added so as to ensure correct behaviour of this feature.

    Closes-Bug: #1996780
    Change-Id: Ib9663495f30562f79babef163729a0c43812089d
    Signed-off-by: Elvira García <email address hidden>

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/865899

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/865900

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/865901

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/865902

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/865899
Committed: https://opendev.org/openstack/neutron/commit/89c97e8a493b3abc75ac94a46a70c1d799515065
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 89c97e8a493b3abc75ac94a46a70c1d799515065
Author: Elvira García <email address hidden>
Date: Thu Nov 10 00:47:53 2022 +0100

    Fix behaviour of enable/disable in OVN network log

    Previously, only the first log object created that associated to a
    certain ACL would be able to make changes to the True/False property of
    that ACL. This patch makes the driver to take in consideration each log
    object created to enable or disable an ACL logging status. A functional
    test is added so as to ensure correct behaviour of this feature.

    Closes-Bug: #1996780
    Change-Id: Ib9663495f30562f79babef163729a0c43812089d
    Signed-off-by: Elvira García <email address hidden>
    (cherry picked from commit f629b77d3c821717333eb740311a33a7a45b0e8d)

tags: added: in-stable-zed
tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/865900
Committed: https://opendev.org/openstack/neutron/commit/4eba379801e8a550dfcdf51a3ebfa45e4c74caa4
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 4eba379801e8a550dfcdf51a3ebfa45e4c74caa4
Author: Elvira García <email address hidden>
Date: Thu Nov 10 00:47:53 2022 +0100

    Fix behaviour of enable/disable in OVN network log

    Previously, only the first log object created that associated to a
    certain ACL would be able to make changes to the True/False property of
    that ACL. This patch makes the driver to take in consideration each log
    object created to enable or disable an ACL logging status. A functional
    test is added so as to ensure correct behaviour of this feature.

    Closes-Bug: #1996780
    Change-Id: Ib9663495f30562f79babef163729a0c43812089d
    Signed-off-by: Elvira García <email address hidden>
    (cherry picked from commit f629b77d3c821717333eb740311a33a7a45b0e8d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/865902
Committed: https://opendev.org/openstack/neutron/commit/0135f0db5627327741822c76efbc03ef0d476576
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 0135f0db5627327741822c76efbc03ef0d476576
Author: Elvira García <email address hidden>
Date: Thu Nov 10 00:47:53 2022 +0100

    Fix behaviour of enable/disable in OVN network log

    Previously, only the first log object created that associated to a
    certain ACL would be able to make changes to the True/False property of
    that ACL. This patch makes the driver to take in consideration each log
    object created to enable or disable an ACL logging status. A functional
    test is added so as to ensure correct behaviour of this feature.

    Closes-Bug: #1996780
    Change-Id: Ib9663495f30562f79babef163729a0c43812089d
    Signed-off-by: Elvira García <email address hidden>
    (cherry picked from commit f629b77d3c821717333eb740311a33a7a45b0e8d)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/865901
Committed: https://opendev.org/openstack/neutron/commit/7e6ac2b43751ec0e86bd906a80da6126575444b8
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 7e6ac2b43751ec0e86bd906a80da6126575444b8
Author: Elvira García <email address hidden>
Date: Thu Nov 10 00:47:53 2022 +0100

    Fix behaviour of enable/disable in OVN network log

    Previously, only the first log object created that associated to a
    certain ACL would be able to make changes to the True/False property of
    that ACL. This patch makes the driver to take in consideration each log
    object created to enable or disable an ACL logging status. A functional
    test is added so as to ensure correct behaviour of this feature.

    Closes-Bug: #1996780
    Change-Id: Ib9663495f30562f79babef163729a0c43812089d
    Signed-off-by: Elvira García <email address hidden>
    (cherry picked from commit f629b77d3c821717333eb740311a33a7a45b0e8d)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.5.0

This issue was fixed in the openstack/neutron 19.5.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.0.0rc1

This issue was fixed in the openstack/neutron 22.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.3.0

This issue was fixed in the openstack/neutron 20.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.1.0

This issue was fixed in the openstack/neutron 21.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron wallaby-eom

This issue was fixed in the openstack/neutron wallaby-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.