yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #90395
[Bug 1996780] [NEW] [OVN] Enabling and disabling networking log objects doesn't work as expected
Public bug reported:
Steps to reproduce:
1. I create a sg logging object called accept_sg1, then drop_sg1:
Both work. (Success)
2. I disable accept_sg1:
Accepted packets are not logged (Success)
3. And then I create all_sg1:
We see the same behavior as before. Accept packets are not logged, but dropped are. (Failure)
The core reason for this is that both ACCEPT and DROP ACLs already had a different log group assigned.
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| ID | Enabled | Name | Type | Summary |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| 0918edeb-e1b4-4688-945a-a0ec365c9686 | True | all_sg1 | security_group | Event: ALL, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| 1048b03a-fc2d-432e-8bd6-b05ad75e53f5 | False | accept_sg1 | security_group | Event: ACCEPT, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| cfb09a6c-753b-4325-be51-cc3132c53be1 | True | drop_sg1 | security_group | Event: DROP, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
4. If I delete accept_sg1, all_sg1 will now be "in charge" of logging accepted packets. Dropped ones will still be logged
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| ID | Enabled | Name | Type | Summary |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| 0918edeb-e1b4-4688-945a-a0ec365c9686 | True | all_sg1 | security_group | Event: ALL, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| cfb09a6c-753b-4325-be51-cc3132c53be1 | True | drop_sg1 | security_group | Event: DROP, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
5. If I now disable drop_sg1, I will only capture accepted packets even
if the other object enabled is all_sg1
If instead of disabling and enabling the log objects for a security
group, you use create and delete, the feature will work.
Actual results:
Only the first log object associated to a resource is taken into account. If you disable it, you won't see any traffic of that kind logged even if there is another log object with log enabled that allowed that kind of logging.
Expected results:
I think we could allow enable-disable to work correctly in this
situation.
Extracted from: https://bugzilla.redhat.com/show_bug.cgi?id=2136860
** Affects: neutron
Importance: Undecided
Assignee: Elvira García Ruiz (elviragr)
Status: In Progress
** Tags: ovn
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1996780
Title:
[OVN] Enabling and disabling networking log objects doesn't work as
expected
Status in neutron:
In Progress
Bug description:
Steps to reproduce:
1. I create a sg logging object called accept_sg1, then drop_sg1:
Both work. (Success)
2. I disable accept_sg1:
Accepted packets are not logged (Success)
3. And then I create all_sg1:
We see the same behavior as before. Accept packets are not logged, but dropped are. (Failure)
The core reason for this is that both ACCEPT and DROP ACLs already had a different log group assigned.
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| ID | Enabled | Name | Type | Summary |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| 0918edeb-e1b4-4688-945a-a0ec365c9686 | True | all_sg1 | security_group | Event: ALL, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| 1048b03a-fc2d-432e-8bd6-b05ad75e53f5 | False | accept_sg1 | security_group | Event: ACCEPT, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| cfb09a6c-753b-4325-be51-cc3132c53be1 | True | drop_sg1 | security_group | Event: DROP, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
4. If I delete accept_sg1, all_sg1 will now be "in charge" of logging accepted packets. Dropped ones will still be logged
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| ID | Enabled | Name | Type | Summary |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| 0918edeb-e1b4-4688-945a-a0ec365c9686 | True | all_sg1 | security_group | Event: ALL, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| cfb09a6c-753b-4325-be51-cc3132c53be1 | True | drop_sg1 | security_group | Event: DROP, |
| | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
5. If I now disable drop_sg1, I will only capture accepted packets
even if the other object enabled is all_sg1
If instead of disabling and enabling the log objects for a security
group, you use create and delete, the feature will work.
Actual results:
Only the first log object associated to a resource is taken into account. If you disable it, you won't see any traffic of that kind logged even if there is another log object with log enabled that allowed that kind of logging.
Expected results:
I think we could allow enable-disable to work correctly in this
situation.
Extracted from: https://bugzilla.redhat.com/show_bug.cgi?id=2136860
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1996780/+subscriptions
Follow ups
