Bug 1988837 - Drop events are logged for all security groups if at least one security group has logging enabled for dropped traffic
Summary: Drop events are logged for all security groups if at least one security group...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 16.2 (Train)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z3
: 16.2 (Train on RHEL 8.4)
Assignee: James Smith
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks: 1619266
TreeView+ depends on / blocked
 
Reported: 2021-08-01 14:36 UTC by Alex Katz
Modified: 2023-08-21 15:05 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-21 15:04:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 835014 0 None NEW [OVN] Log drop events per security group 2022-07-11 14:56:09 UTC
Red Hat Issue Tracker OSP-6692 0 None None None 2021-11-15 13:03:07 UTC

Description Alex Katz 2021-08-01 14:36:15 UTC 
If at least one security group has logging enabled for dropped traffic, dropped packets for all security groups will be logged.



Create network topology:
openstack network create net_1
openstack subnet create --subnet-range 10.100.0.0/24 --network net_1 subnet_1
openstack network create net_2
openstack subnet create --subnet-range 10.100.1.0/24 --network net_2 subnet_2

openstack router create router_1
openstack router set --external-gateway nova router_1
openstack router add subnet router_1 subnet_1
openstack router add subnet router_1 subnet_2



Create two security groups:
openstack security group create sg_1
openstack security group create sg_2
openstack security group rule create --ingress --protocol icmp sg_1
openstack security group rule create --ingress --protocol icmp sg_2



Create two VMs (replicated with different computes as well as with a single compute for both VMs)
openstack server create --image cirros-0.4.0-x86_64-disk.img --flavor m1.micro --network net_1 --security-group sg_1 --wait vm_1
openstack server create --image cirros-0.4.0-x86_64-disk.img --flavor m1.micro --network net_2 --security-group sg_2 --wait vm_2



Create FIPs
openstack floating ip create --floating-ip-address 10.0.0.201 nova
openstack server add floating ip vm_1 10.0.0.201
openstack floating ip create --floating-ip-address 10.0.0.202 nova
openstack server add floating ip vm_2 10.0.0.202



Enable logging for `sg_1`
openstack network log create --resource-type security_group --resource sg_1 --event ALL test_log



Test connectivity to both VMs using ping and so verify that only ICMP requests to vm_1 are logged.

Try to initiate another type of connection (e.g. SSH) to both VMs. There are should be log events for vm_1 only, but there will be logs for vm_2 too.
Comment 1 Alex Katz 2021-08-01 14:45:21 UTC 
As far as I understand the issue happens because there are only two (one for inbound and one for outbound traffic) ACLs created to drop traffic in NBDB:

podman exec ovn_controller ovn-nbctl find acl action=drop
_uuid               : dfd29915-05cd-40bf-a1cb-a4439d604aaa
action              : drop
direction           : to-lport
external_ids        : {}
log                 : true
match               : "outport == @neutron_pg_drop && ip"
meter               : acl_log_meter
name                : neutron-3386a030-5d53-42a4-930d-9bbd793c6590
priority            : 1001
severity            : info

_uuid               : 570d5d1a-d43f-4700-aaf5-cb6972bc900d
action              : drop
direction           : from-lport
external_ids        : {}
log                 : true
match               : "inport == @neutron_pg_drop && ip"
meter               : acl_log_meter
name                : neutron-3386a030-5d53-42a4-930d-9bbd793c6590
priority            : 1001
severity            : info
Note You need to log in before you can comment on or make changes to this bug.