[OVN] Enabling and disabling networking log objects doesn't work as expected
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Elvira García Ruiz |
Bug Description
Steps to reproduce:
1. I create a sg logging object called accept_sg1, then drop_sg1:
Both work. (Success)
2. I disable accept_sg1:
Accepted packets are not logged (Success)
3. And then I create all_sg1:
We see the same behavior as before. Accept packets are not logged, but dropped are. (Failure)
The core reason for this is that both ACCEPT and DROP ACLs already had a different log group assigned.
+------
| ID | Enabled | Name | Type | Summary |
+------
| 0918edeb-
| | | | | Logged: (security_group) a46dbb61-
| 1048b03a-
| | | | | Logged: (security_group) a46dbb61-
| cfb09a6c-
| | | | | Logged: (security_group) a46dbb61-
+------
4. If I delete accept_sg1, all_sg1 will now be "in charge" of logging accepted packets. Dropped ones will still be logged
+------
| ID | Enabled | Name | Type | Summary |
+------
| 0918edeb-
| | | | | Logged: (security_group) a46dbb61-
| cfb09a6c-
| | | | | Logged: (security_group) a46dbb61-
+------
5. If I now disable drop_sg1, I will only capture accepted packets even if the other object enabled is all_sg1
If instead of disabling and enabling the log objects for a security group, you use create and delete, the feature will work.
Actual results:
Only the first log object associated to a resource is taken into account. If you disable it, you won't see any traffic of that kind logged even if there is another log object with log enabled that allowed that kind of logging.
Expected results:
I think we could allow enable-disable to work correctly in this situation.
Extracted from: https:/
Changed in neutron: | |
status: | New → In Progress |
Changed in neutron: | |
importance: | Undecided → Medium |
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/864152 /opendev. org/openstack/ neutron/ commit/ f629b77d3c82171 7333eb740311a33 a7a45b0e8d
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit f629b77d3c82171 7333eb740311a33 a7a45b0e8d
Author: Elvira García <email address hidden>
Date: Thu Nov 10 00:47:53 2022 +0100
Fix behaviour of enable/disable in OVN network log
Previously, only the first log object created that associated to a
certain ACL would be able to make changes to the True/False property of
that ACL. This patch makes the driver to take in consideration each log
object created to enable or disable an ACL logging status. A functional
test is added so as to ensure correct behaviour of this feature.
Closes-Bug: #1996780 f79babef163729a 0c43812089d
Change-Id: Ib9663495f30562
Signed-off-by: Elvira García <email address hidden>