Public bug reported:
openstack version:rocky
operating system:centos7
libnetfilter_log-1.0.1-7.el7.x86_64
neutron.conf
[DEFAULT]
service_plugins = router,firewall_v2,log
[service_providers]
service_provider =
FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
fwaas_driver.ini
[fwaas]
agent_version = v2
driver =
neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True
l3_agent.ini
[agent]
extensions = fwaas_v2,fwaas_v2_log
Topology
vm1 172.16.10.14
vm2 172.16.20.12
r1 172.16.10.1
172.16.20.1
#openstack firewall group rule show deny_ping
+------------------------+-------------------------------------------+
| Field | Value |
+------------------------+-------------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | 172.16.20.12 |
| Destination Port | None |
| Enabled | True |
| ID | a3231ec7-f0a0-48cd-b063-2bf0348ee0c5 |
| IP Version | 4 |
| Name | deny_ping |
| Project | f8c73e555a294972964781606efb5291 |
| Protocol | icmp |
| Shared | False |
| Source IP Address | 172.16.10.14 |
| Source Port | None |
| firewall_policy_id | [u'cd9b4031-7d8c-4721-99aa-dedac7e1317f'] |
| project_id | f8c73e555a294972964781606efb5291 |
+------------------------+-------------------------------------------+
#openstack network log show my-log
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| Description | |
| Enabled | True |
| Event | ALL |
| ID | 009cdc65-360d-46c1-9366-360c8b094351 |
| Name | my-log |
| Project | f8c73e555a294972964781606efb5291 |
| Resource | 087a286e-bb7b-4583-bac4-0a7828c88e91 |
| Target | None |
| Type | firewall_group |
| created_at | 2019-06-13T07:46:13Z |
| revision_number | 0 |
| tenant_id | f8c73e555a294972964781606efb5291 |
| updated_at | 2019-06-13T07:46:13Z |
+-----------------+--------------------------------------+
#ip netns exec qrouter-38b02e81-bb69-48aa-9ca1-23b371af0b7f iptables -nvL
Chain neutron-l3-agent-dropped (5 references)
pkts bytes target prot opt in out source destination
40 3360 NFLOG all -- qr-5feaec8e-8b * 0.0.0.0/0
0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix
12876978778924028228
0 0 NFLOG all -- * qr-5feaec8e-8b 0.0.0.0/0
0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix
12876978778924028228
40 3360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
--------------------------
Nflog has obtained the packet,but log file has no record information.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1833156
Title:
neutron fwaas v2 log function does not work
Status in neutron:
New
Bug description:
openstack version:rocky
operating system:centos7
libnetfilter_log-1.0.1-7.el7.x86_64
neutron.conf
[DEFAULT]
service_plugins = router,firewall_v2,log
[service_providers]
service_provider =
FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
fwaas_driver.ini
[fwaas]
agent_version = v2
driver =
neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True
l3_agent.ini
[agent]
extensions = fwaas_v2,fwaas_v2_log
Topology
vm1 172.16.10.14
vm2 172.16.20.12
r1 172.16.10.1
172.16.20.1
#openstack firewall group rule show deny_ping
+------------------------+-------------------------------------------+
| Field | Value |
+------------------------+-------------------------------------------+
| Action | deny |
| Description | |
| Destination IP Address | 172.16.20.12 |
| Destination Port | None |
| Enabled | True |
| ID | a3231ec7-f0a0-48cd-b063-2bf0348ee0c5 |
| IP Version | 4 |
| Name | deny_ping |
| Project | f8c73e555a294972964781606efb5291 |
| Protocol | icmp |
| Shared | False |
| Source IP Address | 172.16.10.14 |
| Source Port | None |
| firewall_policy_id | [u'cd9b4031-7d8c-4721-99aa-dedac7e1317f'] |
| project_id | f8c73e555a294972964781606efb5291 |
+------------------------+-------------------------------------------+
#openstack network log show my-log
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| Description | |
| Enabled | True |
| Event | ALL |
| ID | 009cdc65-360d-46c1-9366-360c8b094351 |
| Name | my-log |
| Project | f8c73e555a294972964781606efb5291 |
| Resource | 087a286e-bb7b-4583-bac4-0a7828c88e91 |
| Target | None |
| Type | firewall_group |
| created_at | 2019-06-13T07:46:13Z |
| revision_number | 0 |
| tenant_id | f8c73e555a294972964781606efb5291 |
| updated_at | 2019-06-13T07:46:13Z |
+-----------------+--------------------------------------+
#ip netns exec qrouter-38b02e81-bb69-48aa-9ca1-23b371af0b7f iptables -nvL
Chain neutron-l3-agent-dropped (5 references)
pkts bytes target prot opt in out source
destination
40 3360 NFLOG all -- qr-5feaec8e-8b * 0.0.0.0/0
0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix
12876978778924028228
0 0 NFLOG all -- * qr-5feaec8e-8b 0.0.0.0/0
0.0.0.0/0 limit: avg 100/sec burst 25 nflog-prefix
12876978778924028228
40 3360 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
--------------------------
Nflog has obtained the packet,but log file has no record information.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1833156/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
