Fix lost connection when create security group log

Packet sent to table 91 are considered accepted by the egress pipeline and NORMAL action is used by default in this table. However, if we create a security group logging resource, then ovs flows log will be added into this table with higher priority. Therefore packet matches with ovs flows log will be sent to CONTROLLER and never forward. So this patch append action=NORMAL into ovs flows log to forward the packet and send it to CONTROLLER for logging. Closes-Bug: #1787106 Change-Id: I6e95e2e646ec8a5507c7f140ab2c4a56be8404c3
2018-08-15 13:09:38 +07:00 · 2018-08-15 13:09:38 +07:00 · 7d2ac2d0af
commit 7d2ac2d0af
parent 858a7ff42d
3 changed files with 7 additions and 3 deletions
--- a/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
+++ b/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
@ -342,6 +342,9 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver):
        # log first accepted packet
        flow['table'] = OVS_FW_TO_LOG_TABLES[flow['table']]
        flow['actions'] = 'controller'
+        # forward egress accepted packet and log
+        if flow['table'] == ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE:
+            flow['actions'] = 'normal,controller'
        self._add_flow(**flow)

    def _add_flow(self, **kwargs):
--- a/neutron/tests/functional/services/logapi/test_logging.py
+++ b/neutron/tests/functional/services/logapi/test_logging.py
@ -103,7 +103,8 @@ class TestLoggingExtension(LoggingExtensionTestFramework):
    def _is_log_flow_set(self, table):
        flows = self.log_driver.int_br.br.dump_flows_for_table(table)
        pattern = re.compile(
-            r"^.* table=%s.* actions=CONTROLLER:65535" % table
+            r"^.* table=%s.* "
+            r"actions=(NORMAL,CONTROLLER:65535|CONTROLLER:65535)" % table
        )
        for flow in flows.splitlines():
            if pattern.match(flow.strip()):
--- a/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py
+++ b/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py
@ -181,7 +181,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
                tcp_dst='0x007b'),
            # log egress tcp6
            mock.call(
-                actions='controller',
+                actions='normal,controller',
                cookie=accept_cookie.id,
                reg5=self.port_ofport,
                dl_type="0x{:04x}".format(n_const.ETHERTYPE_IPV6),
@ -190,7 +190,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
                table=ovs_consts.ACCEPTED_EGRESS_TRAFFIC_TABLE),
            # log egress udp
            mock.call(
-                actions='controller',
+                actions='normal,controller',
                cookie=accept_cookie.id,
                reg5=self.port_ofport,
                dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),