2136860 – [OVN] If there are multiple network log objects associated to the same event and security group, only the first created is considered

Bug 2136860 - [OVN] If there are multiple network log objects associated to the same event and security group, only the first created is considered

Summary: [OVN] If there are multiple network log objects associated to the same event ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-networking-ovn
Sub Component:
Version:	16.2 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z5
Target Release:	16.2 (Train on RHEL 8.4)
Assignee:	Elvira
QA Contact:	Maor
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2154343
TreeView+	depends on / blocked

Reported:	2022-10-21 16:01 UTC by Elvira
Modified:	2023-04-26 12:17 UTC (History)
CC List:	5 users (show)
Fixed In Version:	python-networking-ovn-7.4.2-2.20220409154873.el8ost
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2154343 (view as bug list)
Environment:
Last Closed:	2023-04-26 12:16:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	864152	None	MERGED	Fix behaviour of enable/disable in OVN network log	2022-12-14 16:20:56 UTC
Red Hat Issue Tracker	OSP-19578	None	None	None	2022-10-21 16:37:32 UTC
Red Hat Product Errata	RHBA-2023:1763	None	None	None	2023-04-26 12:17:19 UTC

Description Elvira 2022-10-21 16:01:51 UTC

Description of problem:
Only the first log object created associated with a certain event is the one used in that port group ACLs

Version-Release number of selected component (if applicable):
16.2

How reproducible:
100%

Steps to Reproduce:

1. I create a sg logging object called accept_sg1, then drop_sg1:
Both work. (Success)

2. I disable accept_sg1:
Accepted packets are not logged (Success)

3. And then I create all_sg1:
We see the same behaviour as before. Accept packets are not logged, but dropped are. (Failure)
The core reason for this is that both ACCEPT and DROP ACLs already had a different log group assigned.
 
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| ID                                   | Enabled | Name       | Type           | Summary                                                       |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| 0918edeb-e1b4-4688-945a-a0ec365c9686 | True    | all_sg1    | security_group | Event: ALL,                                                   |
|                                      |         |            |                | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| 1048b03a-fc2d-432e-8bd6-b05ad75e53f5 | False   | accept_sg1 | security_group | Event: ACCEPT,                                                |
|                                      |         |            |                | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| cfb09a6c-753b-4325-be51-cc3132c53be1 | True    | drop_sg1   | security_group | Event: DROP,                                                  |
|                                      |         |            |                | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+

4. If I delete accept_sg1, all_sg1 will now be "in charge" of logging  accepted packets. Dropped ones will still be logged
 
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| ID                                   | Enabled | Name       | Type           | Summary                                                       |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+
| 0918edeb-e1b4-4688-945a-a0ec365c9686 | True    | all_sg1    | security_group | Event: ALL,                                                   |
|                                      |         |            |                | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
| cfb09a6c-753b-4325-be51-cc3132c53be1 | True    | drop_sg1   | security_group | Event: DROP,                                                  |
|                                      |         |            |                | Logged: (security_group) a46dbb61-2d0f-465d-b950-fe3d3ba5a43e |
+--------------------------------------+---------+------------+----------------+---------------------------------------------------------------+

5. If I now disable drop_sg1, I will only capture accepted packets even if the other object enabled is all_sg1

If instead of disabling and enabling the log objects for a security group, you use create and delete, the feature will work.

Actual results:
Only the first log object associated to a resource is taken into account. If you disable it, you won't see any traffic of that kind logged even if there is another log object with log enabled that allowed that kind of logging.

Expected results:

I think we could either disallow creating multiple resource redundant log objects or somehow allow enable-disable to work correctly in this situation.

Additional info:

Comment 14 errata-xmlrpc 2023-04-26 12:16:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.2.5 (Train) bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1763

Note You need to log in before you can comment on or make changes to this bug.