Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1988837

Summary: Drop events are logged for all security groups if at least one security group has logging enabled for dropped traffic
Product: Red Hat OpenStack Reporter: Alex Katz <akatz>
Component: documentationAssignee: James Smith <jamsmith>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: high Docs Contact:
Priority: high    
Version: 16.2 (Train)CC: apevec, egarciar, froyo, jamsmith, lhh, majopela, mblue, scohen
Target Milestone: z3Keywords: Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-21 15:04:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1619266    

Description Alex Katz 2021-08-01 14:36:15 UTC 
If at least one security group has logging enabled for dropped traffic, dropped packets for all security groups will be logged.



Create network topology:
openstack network create net_1
openstack subnet create --subnet-range 10.100.0.0/24 --network net_1 subnet_1
openstack network create net_2
openstack subnet create --subnet-range 10.100.1.0/24 --network net_2 subnet_2

openstack router create router_1
openstack router set --external-gateway nova router_1
openstack router add subnet router_1 subnet_1
openstack router add subnet router_1 subnet_2



Create two security groups:
openstack security group create sg_1
openstack security group create sg_2
openstack security group rule create --ingress --protocol icmp sg_1
openstack security group rule create --ingress --protocol icmp sg_2



Create two VMs (replicated with different computes as well as with a single compute for both VMs)
openstack server create --image cirros-0.4.0-x86_64-disk.img --flavor m1.micro --network net_1 --security-group sg_1 --wait vm_1
openstack server create --image cirros-0.4.0-x86_64-disk.img --flavor m1.micro --network net_2 --security-group sg_2 --wait vm_2



Create FIPs
openstack floating ip create --floating-ip-address 10.0.0.201 nova
openstack server add floating ip vm_1 10.0.0.201
openstack floating ip create --floating-ip-address 10.0.0.202 nova
openstack server add floating ip vm_2 10.0.0.202



Enable logging for `sg_1`
openstack network log create --resource-type security_group --resource sg_1 --event ALL test_log



Test connectivity to both VMs using ping and so verify that only ICMP requests to vm_1 are logged.

Try to initiate another type of connection (e.g. SSH) to both VMs. There are should be log events for vm_1 only, but there will be logs for vm_2 too.
Comment 1 Alex Katz 2021-08-01 14:45:21 UTC 
As far as I understand the issue happens because there are only two (one for inbound and one for outbound traffic) ACLs created to drop traffic in NBDB:

podman exec ovn_controller ovn-nbctl find acl action=drop
_uuid               : dfd29915-05cd-40bf-a1cb-a4439d604aaa
action              : drop
direction           : to-lport
external_ids        : {}
log                 : true
match               : "outport == @neutron_pg_drop && ip"
meter               : acl_log_meter
name                : neutron-3386a030-5d53-42a4-930d-9bbd793c6590
priority            : 1001
severity            : info

_uuid               : 570d5d1a-d43f-4700-aaf5-cb6972bc900d
action              : drop
direction           : from-lport
external_ids        : {}
log                 : true
match               : "inport == @neutron_pg_drop && ip"
meter               : acl_log_meter
name                : neutron-3386a030-5d53-42a4-930d-9bbd793c6590
priority            : 1001
severity            : info