yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #75255
[Bug 1788759] Re: Firewall Logging does not work when changing port state to UP after restarting q-l3.service
Reviewed: https://review.openstack.org/600660
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=48b82f7c925d1fdbe0a5b69f99999ecd6ca731c5
Submitter: Zuul
Branch: master
commit 48b82f7c925d1fdbe0a5b69f99999ecd6ca731c5
Author: Kim Bao Long <longkb@xxxxxxxxxxxxxx>
Date: Fri Sep 7 12:30:25 2018 +0700
Subscribe Neutron port update events for FWG Logging handling
Currently, FWaaS L3 logging only sync with firewall group related
events, it does not care about Neutron port status update as reported
in [1]. This patch aims to subscribe Neutron callback events that will
trigger FWG Logging driver for further handling.
[1] https://bugs.launchpad.net/neutron/+bug/1788759
Change-Id: If2754040dad0bae6c224ceaec8b7e66436a2195d
Co-Authored-By: Nguyen Phuong An <AnNP@xxxxxxxxxxxxxx>
Closes-Bug: #1788759
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1788759
Title:
Firewall Logging does not work when changing port state to UP after
restarting q-l3.service
Status in neutron:
Fix Released
Bug description:
Steps to reproduce this bug:
#1 Create network net0 with subnet subnet0
openstack network create --share net0
openstack subnet create subnet0 --ip-version 4 --gateway 10.10.0.1 --network net0 --subnet-range 10.10.0.0/24
#2 Create router router0 and attach subnet0 to router0
openstack router create router0
openstack router add subnet router0 subnet0
#3 Create fwg1 with default ingress, egress firewall group policy from admin project
project_id=$(openstack project show admin | grep ' id' | awk '{print$4}')
i_fwp_id=$(openstack firewall group policy list --long | grep ingress | grep $project_id | awk '{print$2}')
e_fwp_id=$(openstack firewall group policy list --long | grep egress | grep $project_id | awk '{print$2}')
#4 Create and attach fwg1 to internal router port that attaches to net0
net0_port=$(openstack port list | grep -e "'10.10.0.1'" | awk '{print$2}')
openstack firewall group create --name fwg1 --port $net0_port --ingress-firewall-policy $i_fwp_id --egress-firewall-policy $e_fwp_id
#5 Create a logging resource for fwg1
openstack network log create --resource-type firewall_group --resource fwg1 --enable --event ALL Log_all_defined_resource
# Check iptables of netns of router0 => NFLOGs are added (OK)
http://paste.openstack.org/show/728805/
#6 Update net0_port 'state' into 'DOWN'
openstack port set $net0_port --disable
# Check iptables of netns of router0 => NFLOGs stay the same (are not removed)
=> this is accepted
#7 Restart q-l3.service
sudo systemctl restart devstack@q-l3.service
# Check iptables of netns of router0 => NFLOGs are removed
http://paste.openstack.org/show/728806/
#8 Changing net0_port status from 'DOWN' to 'UP'
openstack port set $net0_port --enable
# Check iptables of netns of router0
Expected result: NFLOGs should be recovered like http://paste.openstack.org/show/728805/
Actual result: NFLOGs are NOT recovered (http://paste.openstack.org/show/728806/)
In addition, without step "#7 Restart q-l3.service", everything works as expected.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1788759/+subscriptions
References
