From 7d2ac2d0aff90d17d2e46aba2af3b4cc32d1833c Mon Sep 17 00:00:00 2001
From: Nguyen Phuong An <AnNP@vn.fujitsu.com>
Date: Wed, 15 Aug 2018 13:09:38 +0700
Subject: [PATCH] Fix lost connection when create security group log

Packet sent to table 91 are considered accepted by the egress pipeline
and NORMAL action is used by default in this table. However, if we
create a security group logging resource, then ovs flows log will be
added into this table with higher priority. Therefore packet matches
with ovs flows log will be sent to CONTROLLER and never forward.
So this patch append action=NORMAL into ovs flows log to forward
the packet and send it to CONTROLLER for logging.

Closes-Bug: #1787106
Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3
---
 .../services/logapi/drivers/openvswitch/ovs_firewall_log.py   | 3 +++
 neutron/tests/functional/services/logapi/test_logging.py      | 3 ++-
 .../logapi/drivers/openvswitch/test_ovs_firewall_log.py       | 4 ++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py b/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
index 67aae68ff2c..430ac8ae6c7 100644
--- a/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
+++ b/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
@@ -342,6 +342,9 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver):
         # log first accepted packet
         flow['table'] = OVS_FW_TO_LOG_TABLES[flow['table']]
         flow['actions'] = 'controller'
+        # forward egress accepted packet and log
+        if flow['table'] == ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE:
+            flow['actions'] = 'normal,controller'
         self._add_flow(**flow)
 
     def _add_flow(self, **kwargs):
diff --git a/neutron/tests/functional/services/logapi/test_logging.py b/neutron/tests/functional/services/logapi/test_logging.py
index 876b4333703..b51d2ef7a0d 100644
--- a/neutron/tests/functional/services/logapi/test_logging.py
+++ b/neutron/tests/functional/services/logapi/test_logging.py
@@ -103,7 +103,8 @@ class TestLoggingExtension(LoggingExtensionTestFramework):
     def _is_log_flow_set(self, table):
         flows = self.log_driver.int_br.br.dump_flows_for_table(table)
         pattern = re.compile(
-            r"^.* table=%s.* actions=CONTROLLER:65535" % table
+            r"^.* table=%s.* "
+            r"actions=(NORMAL,CONTROLLER:65535|CONTROLLER:65535)" % table
         )
         for flow in flows.splitlines():
             if pattern.match(flow.strip()):
diff --git a/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py b/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py
index fc1fee64c84..84e3cfb01dd 100644
--- a/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py
+++ b/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py
@@ -181,7 +181,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
                 tcp_dst='0x007b'),
             # log egress tcp6
             mock.call(
-                actions='controller',
+                actions='normal,controller',
                 cookie=accept_cookie.id,
                 reg5=self.port_ofport,
                 dl_type="0x{:04x}".format(n_const.ETHERTYPE_IPV6),
@@ -190,7 +190,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
                 table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE),
             # log egress udp
             mock.call(
-                actions='controller',
+                actions='normal,controller',
                 cookie=accept_cookie.id,
                 reg5=self.port_ofport,
                 dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),