If there are two security group logging objects (with different event types) created for the same security group, only the first one will be applied. # openstack network log create --resource-type security_group --resource test_sg --event ACCEPT test_log_1 # openstack network log create --resource-type security_group --resource test_sg --event DROP test_log_2 In such a case only accepted packets will be logged. After deletion of the `test_log_1` object, all dropped packets will be logged. The issue is also replicated with no security group specified as a `--resource` option (aka log all security groups). It seems legit for me to raise an error if someone wants to create a new logging object for the security group with logging already enabled. But there is currently no option to change the event type for the existing logging object. Plus it will not solve the issue for the situation where no `--resource` is specified.
Verified that overlapping configuration works in ml2/OVS environment
Hi @akatz , I've been unable to reproduce this problem. I'm using OVN 21.06, not sure which version was used when you this was filed. I created a security group with a security group rule that allowed icmp and then associated it to a vm. Then, I created two log objects as you say in the description. After that, I've pinged the VM successfully: 2021-12-14T12:40:44.742Z|00008|acl_log(ovn_pinctrl0)|INFO|name="neutron-15ba7c02-9a8d-48df-9ca4-6155b24774ed", verdict=allow, severity=info: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:ae:ac:ac,dl_dst=fa:16:3e:bf:fa:c7,nw_src=172.24.4.1,nw_dst=10.100.0.71,nw_tos=0,nw_ecn=0,nw_ttl=63,icmp_type=8,icmp_code=0 I tried to access the vm via ssh and packets were dropped because I did not have any security group rule allowing that kind of traffic. I could see the dropped packets on ovn-controller.log: 2021-12-14T12:40:56.265Z|00013|acl_log(ovn_pinctrl0)|INFO|name="neutron-e2e750ef-c920-40b7-805e-54b4a2ea3a26", verdict=drop, severity=info: tcp,vlan_tci=0x0000,dl_src=fa:16:3e:ae:ac:ac,dl_dst=fa:16:3e:bf:fa:c7,nw_src=172.24.4.1,nw_dst=10.100.0.71,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=53604,tp_dst=22,tcp_flags=syn Is there something I might have missed? Maybe this was tested using an earlier version of OVN? Or could this be a side effect of BZ1988837? (Note that I just created the logging objects you mention in the description)
Hi Elvira, Indeed the mentioned commands do not work as I explained. Actually, I have two different replication scenarios. The first one is like the one from the description but without `--resource` parameter: # openstack network log create --resource-type security_group --event ACCEPT test_log_1 # openstack network log create --resource-type security_group --event DROP test_log_2 And the second one is just in the opposite order (first DROP, then ACCEPT): # openstack network log create --resource-type security_group --resource test_sg --event DROP test_log_2 # openstack network log create --resource-type security_group --resource test_sg --event ACCEPT test_log_1 In the northbound database, we don't see any `meter` or `name` fields configured for the ACLs that belongs to the port groups where the logging is disabled: $ openstack network log list $ openstack security group rule list fb2b974f-16de-4cb4-8b12-26d85c357064 +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | 8df5b973-89f9-4a70-a8cd-864b4c221d74 | icmp | IPv4 | 0.0.0.0/0 | | None | | fbd9af64-7e20-4f41-82a1-206a6fad2d71 | None | IPv4 | 0.0.0.0/0 | | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ [root@controller-0 ~]# nbctl list port_group 7e7f3dff-d858-4a76-be52-f97120bc41ce _uuid : 7e7f3dff-d858-4a76-be52-f97120bc41ce acls : [5f1708fc-5864-4fde-90c1-4f9f1e32b0db, 9b998dea-e04d-417b-8518-703cce99920d] external_ids : {"neutron:security_group_id"="fb2b974f-16de-4cb4-8b12-26d85c357064"} name : pg_fb2b974f_16de_4cb4_8b12_26d85c357064 ports : [2c448542-9312-441b-a030-51a1b8ef3a5b] [root@controller-0 ~]# nbctl list acl 5f1708fc-5864-4fde-90c1-4f9f1e32b0db _uuid : 5f1708fc-5864-4fde-90c1-4f9f1e32b0db action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="8df5b973-89f9-4a70-a8cd-864b4c221d74"} log : false match : "outport == @pg_fb2b974f_16de_4cb4_8b12_26d85c357064 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" meter : [] name : [] priority : 1002 severity : [] [root@controller-0 ~]# nbctl list acl 9b998dea-e04d-417b-8518-703cce99920d _uuid : 9b998dea-e04d-417b-8518-703cce99920d action : allow-related direction : from-lport external_ids : {"neutron:security_group_rule_id"="fbd9af64-7e20-4f41-82a1-206a6fad2d71"} log : false match : "inport == @pg_fb2b974f_16de_4cb4_8b12_26d85c357064 && ip4 && ip4.dst == 0.0.0.0/0" meter : [] name : [] priority : 1002 severity : [] But once we add a logging object of any kind it sets a meter for any associated ACLs. For example, if we enable logging for drop events for a specific security group it will set the meter even for all allow-related ACLs too: $ openstack network log create --resource-type security_group --resource fb2b974f-16de-4cb4-8b12-26d85c357064 --event DROP test_log_1 +-----------------+--------------------------------------+ | Field | Value | +-----------------+--------------------------------------+ | Description | | | Enabled | True | | Event | DROP | | ID | ec94fd0c-5bd4-45d7-a483-a6824b5ed9c5 | | Name | test_log_1 | | Project | b55a1fc4331848f08447c88d7e7baf92 | | Resource | fb2b974f-16de-4cb4-8b12-26d85c357064 | | Target | None | | Type | security_group | | created_at | 2021-12-14T15:05:48Z | | revision_number | 0 | | tenant_id | b55a1fc4331848f08447c88d7e7baf92 | | updated_at | 2021-12-14T15:05:48Z | +-----------------+--------------------------------------+ $ openstack network log list +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ | ID | Enabled | Name | Type | Summary | +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ | ec94fd0c-5bd4-45d7-a483-a6824b5ed9c5 | True | test_log_1 | security_group | Event: DROP, | | | | | | Logged: (security_group) fb2b974f-16de-4cb4-8b12-26d85c357064 | +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ $ openstack security group rule list fb2b974f-16de-4cb4-8b12-26d85c357064 +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | 8df5b973-89f9-4a70-a8cd-864b4c221d74 | icmp | IPv4 | 0.0.0.0/0 | | None | | fbd9af64-7e20-4f41-82a1-206a6fad2d71 | None | IPv4 | 0.0.0.0/0 | | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ [root@controller-0 ~]# nbctl list port_group 7e7f3dff-d858-4a76-be52-f97120bc41ce _uuid : 7e7f3dff-d858-4a76-be52-f97120bc41ce acls : [5f1708fc-5864-4fde-90c1-4f9f1e32b0db, 9b998dea-e04d-417b-8518-703cce99920d] external_ids : {"neutron:security_group_id"="fb2b974f-16de-4cb4-8b12-26d85c357064"} name : pg_fb2b974f_16de_4cb4_8b12_26d85c357064 ports : [2c448542-9312-441b-a030-51a1b8ef3a5b] [root@controller-0 ~]# nbctl list acl 5f1708fc-5864-4fde-90c1-4f9f1e32b0db _uuid : 5f1708fc-5864-4fde-90c1-4f9f1e32b0db action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="8df5b973-89f9-4a70-a8cd-864b4c221d74"} log : false match : "outport == @pg_fb2b974f_16de_4cb4_8b12_26d85c357064 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" meter : acl_log_meter name : neutron-ec94fd0c-5bd4-45d7-a483-a6824b5ed9c5 priority : 1002 severity : info [root@controller-0 ~]# nbctl list acl 9b998dea-e04d-417b-8518-703cce99920d _uuid : 9b998dea-e04d-417b-8518-703cce99920d action : allow-related direction : from-lport external_ids : {"neutron:security_group_rule_id"="fbd9af64-7e20-4f41-82a1-206a6fad2d71"} log : false match : "inport == @pg_fb2b974f_16de_4cb4_8b12_26d85c357064 && ip4 && ip4.dst == 0.0.0.0/0" meter : acl_log_meter name : neutron-ec94fd0c-5bd4-45d7-a483-a6824b5ed9c5 priority : 1002 severity : info As you can see log fields are set to false and are not overwritten when you enable logging for accept events.
Verified that overlapping configuration works in OSP 16.2 environment
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.3 (Train)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:4793