Description of problem: Only the first log object created associated with a certain event is the one used in that port group ACLs Version-Release number of selected component (if applicable): 16.2 How reproducible: 100% Steps to Reproduce: 1. I create a sg logging object called accept_sg1, then drop_sg1: Both work. (Success) 2. I disable accept_sg1: Accepted packets are not logged (Success) 3. And then I create all_sg1: We see the same behaviour as before. Accept packets are not logged, but dropped are. (Failure) The core reason for this is that both ACCEPT and DROP ACLs already had a different log group assigned. +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ | ID | Enabled | Name | Type | Summary | +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ | 0918edeb-e1b4-4688-945a-a0ec365c9686 | True | all_sg1 | security_group | Event: ALL, | | | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e | | 1048b03a-fc2d-432e-8bd6-b05ad75e53f5 | False | accept_sg1 | security_group | Event: ACCEPT, | | | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e | | cfb09a6c-753b-4325-be51-cc3132c53be1 | True | drop_sg1 | security_group | Event: DROP, | | | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e | +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ 4. If I delete accept_sg1, all_sg1 will now be "in charge" of logging accepted packets. Dropped ones will still be logged +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ | ID | Enabled | Name | Type | Summary | +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ | 0918edeb-e1b4-4688-945a-a0ec365c9686 | True | all_sg1 | security_group | Event: ALL, | | | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e | | cfb09a6c-753b-4325-be51-cc3132c53be1 | True | drop_sg1 | security_group | Event: DROP, | | | | | | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e | +--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+ 5. If I now disable drop_sg1, I will only capture accepted packets even if the other object enabled is all_sg1 If instead of disabling and enabling the log objects for a security group, you use create and delete, the feature will work. Actual results: Only the first log object associated to a resource is taken into account. If you disable it, you won't see any traffic of that kind logged even if there is another log object with log enabled that allowed that kind of logging. Expected results: I think we could either disallow creating multiple resource redundant log objects or somehow allow enable-disable to work correctly in this situation. Additional info:
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.2.5 (Train) bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:1763