1990279 – Only client to server packets are logged

Bug 1990279 - Only client to server packets are logged

Summary: Only client to server packets are logged

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-networking-ovn
Sub Component:
Version:	16.2 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z5
Target Release:	16.2 (Train on RHEL 8.4)
Assignee:	Elvira
QA Contact:	Maor
Docs Contact:
URL:
Whiteboard:
Depends On:	2031150
Blocks:	1619266 2152877 2181805
TreeView+	depends on / blocked

Reported:	2021-08-05 07:35 UTC by Alex Katz
Modified:	2023-04-26 12:17 UTC (History)
CC List:	7 users (show)
Fixed In Version:	python-networking-ovn-7.4.2-2.20220409154873.el8ost
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2152877 2181805 (view as bug list)
Environment:
Last Closed:	2023-04-26 12:16:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	871096	None	NEW	[OVN] Allow logging all traffic related to an ACL	2023-01-23 15:31:42 UTC
Red Hat Issue Tracker	OSP-6803	None	None	None	2021-11-15 13:01:43 UTC
Red Hat Product Errata	RHBA-2023:1763	None	None	None	2023-04-26 12:17:07 UTC

Description Alex Katz 2021-08-05 07:35:41 UTC

Description of problem:
With the OVN security group logging feature enabled there is only one direction (from client to server) packets are actually logged. It happens because there is a single OpenFlow rule created for the returned traffic and it has no logging action


1. ICMP request (client-to-server)

cookie=0x3c29ab85, duration=15.254s, table=44, n_packets=1, n_bytes=98, priority=2002,icmp,reg0=0x80/0x80,reg15=0x3,metadata=0x2 actions=load:0x1->NXM_NX_XXREG0[97],controller(userdata=00.00.00.07.00.00.00.00.00.06.6e.65.75.74.72.6f.6e.2d.38.34.61.61.30.64.65.61.2d.35.33.63.31.2d.34.39.33.62.2d.61.33.33.39.2d.62.38.37.63.66.32.65.62.35.61.34.37,meter_id=1),resubmit(,45)

2. ICMP reply (server-to-client)

cookie=0xc7091af2, duration=15.251s, table=44, n_packets=1, n_bytes=98, priority=65532,ct_state=-new+est-rel+rpl-inv+trk,ct_label=0/0x1,metadata=0x2 actions=resubmit(,45)


With ml2/OVS (ovs-firewall driver) plugin there is no such issue as there are logs only for the first packet of each session.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
From my point of view, we need to log all the packets that are passed through or limit logs with just a single packet for each session.


Additional info:

Comment 17 Elvira 2023-02-23 16:05:33 UTC

This is just waiting for the functional test gate to be unblocked, it is otherwise ready to be merged and merged in 17.1: https://bugzilla.redhat.com/show_bug.cgi?id=2152877

Comment 30 errata-xmlrpc 2023-04-26 12:16:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.2.5 (Train) bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1763

Note You need to log in before you can comment on or make changes to this bug.