yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1786746] [NEW] [FW Logging] NFLOG rules still remains after deleting log resource

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kim Bao Long <1786746@xxxxxxxxxxxxxxxxxx>
Date: Mon, 13 Aug 2018 08:52:20 -0000
Reply-to: Bug 1786746 <1786746@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

I have tested a logging feature for firewall_group in stable/rocky [1],
and found a bug. Please follow the following testcase to reproduce this
bug:

Environment:
- Devstack stable/rocky
- Create a router with port-A that attach to fwg1

Testcase 1
----------
Create 2 log-resources:
 + A: {ACCEPT, fwg1, port-A }
 + B : {DROP, fwg1, port-A}

NFLOGs are added to iptables correctly
Delete log-resource A
=> expect: NFLOGs for ACCEPT disappears
=> Observed: NFLOGs for ACCEPT still remains => Bug

Testcase 2
----------
Create 2 log-resources
+ A: {ALL, fwg1, port-A }
+ B : {ACCEPT, fwg1, port-A}

=> NFLOGs are added to iptables correctly
Delete log-resource A
=> expect: NFLOGs for ACCEPT and DROP disappears
=> Observed: NFLOGs for ACCEPT and DROP still remains => Bug

References:
[1] https://docs.openstack.org/neutron/latest/admin/config-logging.html#service-workflow-for-operator

** Affects: neutron
     Importance: Undecided
     Assignee: Kim Bao Long (longkb.fvl)
         Status: In Progress


** Tags: fwaas logging

** Summary changed:

-  [FW Logging] NFLOG rules still remains after delete log resource 
+ [FW Logging] NFLOG rules still remains after deleting log resource

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1786746

Title:
  [FW Logging] NFLOG rules still remains after deleting log resource

Status in neutron:
  In Progress

Bug description:
  I have tested a logging feature for firewall_group in stable/rocky
  [1], and found a bug. Please follow the following testcase to
  reproduce this bug:

  Environment:
  - Devstack stable/rocky
  - Create a router with port-A that attach to fwg1

  Testcase 1
  ----------
  Create 2 log-resources:
   + A: {ACCEPT, fwg1, port-A }
   + B : {DROP, fwg1, port-A}

  NFLOGs are added to iptables correctly
  Delete log-resource A
  => expect: NFLOGs for ACCEPT disappears
  => Observed: NFLOGs for ACCEPT still remains => Bug

  Testcase 2
  ----------
  Create 2 log-resources
  + A: {ALL, fwg1, port-A }
  + B : {ACCEPT, fwg1, port-A}

  => NFLOGs are added to iptables correctly
  Delete log-resource A
  => expect: NFLOGs for ACCEPT and DROP disappears
  => Observed: NFLOGs for ACCEPT and DROP still remains => Bug

  References:
  [1] https://docs.openstack.org/neutron/latest/admin/config-logging.html#service-workflow-for-operator

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1786746/+subscriptions

Follow ups

[Bug 1786746] Re: [FW Logging] NFLOG rules still remains after deleting log resource
From: OpenStack Infra, 2018-08-21