Public bug reported: It is important for operators to have visibility for security rule enforcements, as described in [1]. A specific requirement is to be able to control logging behaviour at rule level.
A typical use case is, when defining rules for a new application, or when an application has new clients, the user wants to observe/learn what are the active flows in "monitoring" phase, to avoid missing rules. During this phase, a "allow any" rule can be added to the security group for that application, and packets hitting that rule can be logged (with rate limiting). For this purpose, rule level logging enabling/disabling is required. Instead of a generic logging API, this RFE propose a simple extension to security rule resource, to add a "log" property. It will be each plugin's choice whether and how to support it. Take networking-ovn as an example, it will be straightforward to translate this into the "log" keyword in OVN ACL. [1] https://bugs.launchpad.net/neutron/+bug/1468366 ** Affects: neutron Importance: Undecided Status: New ** Tags: rfe -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1659416 Title: RFE: extend security group rules to support logging Status in neutron: New Bug description: It is important for operators to have visibility for security rule enforcements, as described in [1]. A specific requirement is to be able to control logging behaviour at rule level. A typical use case is, when defining rules for a new application, or when an application has new clients, the user wants to observe/learn what are the active flows in "monitoring" phase, to avoid missing rules. During this phase, a "allow any" rule can be added to the security group for that application, and packets hitting that rule can be logged (with rate limiting). For this purpose, rule level logging enabling/disabling is required. Instead of a generic logging API, this RFE propose a simple extension to security rule resource, to add a "log" property. It will be each plugin's choice whether and how to support it. Take networking-ovn as an example, it will be straightforward to translate this into the "log" keyword in OVN ACL. [1] https://bugs.launchpad.net/neutron/+bug/1468366 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1659416/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
