Fix lost connection when create security group log

Packet sent to table 91 are considered accepted by the egress pipeline and NORMAL action is used by default in this table. However, if we create a security group logging resource, then ovs flows log will be added into this table with higher priority. Therefore packet matches with ovs flows log will be sent to CONTROLLER and never forward. So this patch append action=NORMAL into ovs flows log to forward the packet and send it to CONTROLLER for logging. Closes-Bug: #1787106 Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3 (cherry picked from commit 7d2ac2d0af)
2018-08-15 13:09:38 +07:00 · 2018-08-15 13:09:38 +07:00 · 684ea39801
parent e789f92eb9
commit 684ea39801
3 changed files with 7 additions and 3 deletions
--- a/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
+++ b/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
@ -336,6 +336,9 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver):
        flow['ct_state'] = ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED
        flow['table'] = OVS_FW_TO_LOG_TABLES[flow['table']]
        flow['actions'] = 'controller'
+        # forward egress accepted packet and log
+        if flow['table'] == ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE:
+            flow['actions'] = 'normal,controller'
        self._add_flow(**flow)

    def _add_flow(self, **kwargs):
--- a/neutron/tests/functional/services/logapi/test_logging.py
+++ b/neutron/tests/functional/services/logapi/test_logging.py
@ -103,7 +103,8 @@ class TestLoggingExtension(LoggingExtensionTestFramework):
    def _is_log_flow_set(self, table):
        flows = self.log_driver.int_br.br.dump_flows_for_table(table)
        pattern = re.compile(
-            r"^.* table=%s.* actions=CONTROLLER:65535" % table
+            r"^.* table=%s.* "
+            r"actions=(NORMAL,CONTROLLER:65535|CONTROLLER:65535)" % table
        )
        for flow in flows.splitlines():
            if pattern.match(flow.strip()):
--- a/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py
+++ b/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py
@ -183,7 +183,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
                tcp_dst='0x007b'),
            # log egress tcp6
            mock.call(
-                actions='controller',
+                actions='normal,controller',
                cookie=accept_cookie.id,
                ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
                reg5=self.port_ofport,
@ -193,7 +193,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
                table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE),
            # log egress udp
            mock.call(
-                actions='controller',
+                actions='normal,controller',
                cookie=accept_cookie.id,
                ct_state=ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED,
                reg5=self.port_ofport,