yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #78936
[Bug 1833156] [NEW] neutron fwaas v2 log function does not work
Public bug reported:
openstack version:rocky
operating system:centos7
libnetfilter_log-1.0.1-7.el7.x86_64
neutron.conf
[DEFAULT]
service_plugins = router,firewall_v2,log
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
fwaas_driver.ini
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True
l3_agent.ini
[agent]
extensions = fwaas_v2,fwaas_v2_log
Topology
vm1 172.16.10.14
vm2 172.16.20.12
r1 172.16.10.1
172.16.20.1
#openstack firewall group rule show deny_ping
+------------------------+-------------------------------------------+
| Field | Value |
+------------------------+-------------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | 172.16.20.12 |
| Destination Port | None |
| Enabled | True |
| ID | a3231ec7-f0a0-48cd-b063-2bf0348ee0c5 |
| IP Version | 4 |
| Name | deny_ping |
| Project | f8c73e555a294972964781606efb5291 |
| Protocol | icmp |
| Shared | False |
| Source IP Address | 172.16.10.14 |
| Source Port | None |
| firewall_policy_id | [u'cd9b4031-7d8c-4721-99aa-dedac7e1317f'] |
| project_id | f8c73e555a294972964781606efb5291 |
+------------------------+-------------------------------------------+
#openstack network log show my-log
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| Description | |
| Enabled | True |
| Event | ALL |
| ID | 009cdc65-360d-46c1-9366-360c8b094351 |
| Name | my-log |
| Project | f8c73e555a294972964781606efb5291 |
| Resource | 087a286e-bb7b-4583-bac4-0a7828c88e91 |
| Target | None |
| Type | firewall_group |
| created_at | 2019-06-13T07:46:13Z |
| revision_number | 0 |
| tenant_id | f8c73e555a294972964781606efb5291 |
| updated_at | 2019-06-13T07:46:13Z |
+-----------------+--------------------------------------+
#ip netns exec qrouter-38b02e81-bb69-48aa-9ca1-23b371af0b7f iptables -nvL
Chain neutron-l3-agent-dropped (5 references)
pkts bytes target prot opt in out source destination
40 3360 NFLOG all -- qr-5feaec8e-8b * 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix 12876978778924028228
0 0 NFLOG all -- * qr-5feaec8e-8b 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix 12876978778924028228
40 3360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
--------------------------
Nflog has obtained the packet,but log file has no record information.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1833156
Title:
neutron fwaas v2 log function does not work
Status in neutron:
New
Bug description:
openstack version:rocky
operating system:centos7
libnetfilter_log-1.0.1-7.el7.x86_64
neutron.conf
[DEFAULT]
service_plugins = router,firewall_v2,log
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
fwaas_driver.ini
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True
l3_agent.ini
[agent]
extensions = fwaas_v2,fwaas_v2_log
Topology
vm1 172.16.10.14
vm2 172.16.20.12
r1 172.16.10.1
172.16.20.1
#openstack firewall group rule show deny_ping
+------------------------+-------------------------------------------+
| Field | Value |
+------------------------+-------------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | 172.16.20.12 |
| Destination Port | None |
| Enabled | True |
| ID | a3231ec7-f0a0-48cd-b063-2bf0348ee0c5 |
| IP Version | 4 |
| Name | deny_ping |
| Project | f8c73e555a294972964781606efb5291 |
| Protocol | icmp |
| Shared | False |
| Source IP Address | 172.16.10.14 |
| Source Port | None |
| firewall_policy_id | [u'cd9b4031-7d8c-4721-99aa-dedac7e1317f'] |
| project_id | f8c73e555a294972964781606efb5291 |
+------------------------+-------------------------------------------+
#openstack network log show my-log
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| Description | |
| Enabled | True |
| Event | ALL |
| ID | 009cdc65-360d-46c1-9366-360c8b094351 |
| Name | my-log |
| Project | f8c73e555a294972964781606efb5291 |
| Resource | 087a286e-bb7b-4583-bac4-0a7828c88e91 |
| Target | None |
| Type | firewall_group |
| created_at | 2019-06-13T07:46:13Z |
| revision_number | 0 |
| tenant_id | f8c73e555a294972964781606efb5291 |
| updated_at | 2019-06-13T07:46:13Z |
+-----------------+--------------------------------------+
#ip netns exec qrouter-38b02e81-bb69-48aa-9ca1-23b371af0b7f iptables -nvL
Chain neutron-l3-agent-dropped (5 references)
pkts bytes target prot opt in out source destination
40 3360 NFLOG all -- qr-5feaec8e-8b * 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix 12876978778924028228
0 0 NFLOG all -- * qr-5feaec8e-8b 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix 12876978778924028228
40 3360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
--------------------------
Nflog has obtained the packet,but log file has no record information.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1833156/+subscriptions
