yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1786746] Re: [FW Logging] NFLOG rules still remains after deleting log resource

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1786746@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Aug 2018 02:15:39 -0000
Reply-to: Bug 1786746 <1786746@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/590682
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=6ccdd943a3cec92e559dd842407382a3dca5f484
Submitter: Zuul
Branch:    master

commit 6ccdd943a3cec92e559dd842407382a3dca5f484
Author: Kim Bao Long <longkb@xxxxxxxxxxxxxx>
Date:   Fri Aug 10 14:41:54 2018 +0700

    Remove remaining NFLOG rules on deleting log resource
    
    Currently, NFLOG rules are still remaining after deletion of log
    resources from "ACCEPT" or "DROP" events. This patch aims to remove
    these rules. In addition, it also cleans up unused iptables manager per
    port to avoid memory consumption of self.ipt_mgr_list in [1]
    
    [1] https://review.openstack.org/#/c/553738/
    
    Closes-Bug: #1786746
    Change-Id: Id8db35c9e11c11f186f15565fcbc2cfa67d9ebd4
    Co-Authored-By: Nguyen Phuong An <AnNP@xxxxxxxxxxxxxx>


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1786746

Title:
  [FW Logging] NFLOG rules still remains after deleting log resource

Status in neutron:
  Fix Released

Bug description:
  I have tested a logging feature for firewall_group in stable/rocky
  [1], and found a bug. Please follow the following testcase to
  reproduce this bug:

  Environment:
  - Devstack stable/rocky
  - Install devstack with local.conf: http://paste.openstack.org/show/727916/
  - Topology: Set up topolocy with the following script http://paste.openstack.org/show/727918/

  Testcase
  --------
  - Create log resource: 
    openstack network log create --resource-type firewall_group --event accept testAccept

  - Show iptables config:
    router_id=$(openstack router list | grep router0 | awk '{print$2}')
    router_ns='qrouter-'$router_id
    sudo ip netns exec $router_ns iptables -nvL

  - The results showed that NFLOG already added correctly into iptables:
  http://paste.openstack.org/show/727920/

  Bug triggering
  --------------
  Delete log-resource with: openstack network log delete testAccept
  Error logs: http://paste.openstack.org/show/727919/
  => Expectation: NFLOGs for ACCEPT disappears
  => Observed: NFLOGs for ACCEPT still remains => Bug

  References:
  [1] https://docs.openstack.org/neutron/latest/admin/config-logging.html#service-workflow-for-operator

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1786746/+subscriptions

References

[Bug 1786746] [NEW] [FW Logging] NFLOG rules still remains after deleting log resource
From: Kim Bao Long, 2018-08-13