openstack
/
neutron
Code Issues Proposed changes

Merge "[OVN] Allow logging all traffic related to an ACL" into stable/wallaby

This commit is contained in:
Zuul 2023-02-02 16:18:52 +00:00 committed by Gerrit Code Review
parent df1246ca9c e10476d841
commit b53c5e7340
4 changed files with 48 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
neutron/services/logapi/drivers/ovn/driver.py
View File

@ -11,6 +11,7 @@
# under the License.
from collections import namedtuple
import random
from neutron_lib.api.definitions import portbindings
from neutron_lib.callbacks import resources
@ -38,6 +39,7 @@ DRIVER = None
log_cfg.register_log_driver_opts()
MAX_INT_LABEL = 2**32
SUPPORTED_LOGGING_TYPES = [log_const.SECURITY_GROUP]
@ -167,13 +169,20 @@ class OVNDriver(base.DriverBase):
if log_name:
if acl.name and acl.name[0] != log_name:
continue
columns = {
'log': False,
'meter': [],
'name': [],
'severity': []
}
# TODO(egarciar): There wont be a need to check if label exists
# once minimum version for OVN is >= 22.03
if hasattr(acl, 'label'):
columns['label'] = 0
ovn_txn.add(self.ovn_nb.db_remove(
"ACL", acl_uuid, 'options', 'log-related'))
ovn_txn.add(self.ovn_nb.db_set(
"ACL", acl_uuid,
("log", False),
("meter", []),
("name", []),
("severity", [])
))
"ACL", acl_uuid, *columns.items()))
acl_changes += 1
msg = "Cleared %d, Not found %d (out of %d visited) ACLs"
if log_name:
@ -189,13 +198,20 @@ class OVNDriver(base.DriverBase):
# skip acls used by a different network log
if acl.name and acl.name[0] != log_name:
continue
columns = {
'log': acl.action in actions_enabled,
'meter': self.meter_name,
'name': log_name,
'severity': "info"
}
# TODO(egarciar): There wont be a need to check if label exists
# once minimum version for OVN is >= 22.03
if hasattr(acl, "label"):
# Label needs to be an unsigned 32 bit number and not 0.
columns["label"] = random.randrange(1, MAX_INT_LABEL)
columns["options"] = {'log-related': "true"}
ovn_txn.add(self.ovn_nb.db_set(
"ACL", acl_uuid,
("log", acl.action in actions_enabled),
("meter", self.meter_name),
("name", log_name),
("severity", "info")
))
"ACL", acl_uuid, *columns.items()))
acl_changes += 1
LOG.info("Set %d (out of %d visited) ACLs for network log %s",
acl_changes, acl_visits, log_name)

10
neutron/tests/functional/services/logapi/drivers/ovn/test_driver.py
View File

@ -151,6 +151,16 @@ class LogApiTestCaseComplex(LogApiTestCaseBase):
acl = self._find_security_group_rule_row_by_id(sgr)
self.assertIsNotNone(acl)
self.assertEqual(is_enabled, acl.log)
if hasattr(acl, "label"):
# Here we compare if there is a name because the log can be
# disabled but disabling a log would not take out the properties
# attached to it.
if acl.name:
self.assertNotEqual(0, acl.label)
self.assertEqual("true", acl.options.get("log-related"))
else:
self.assertEqual(0, acl.label)
self.assertIsNone(acl.options.get("log-related"))
return acl
def _check_acl_log_drop(self, is_enabled=True):

5
neutron/tests/unit/services/logapi/drivers/ovn/test_driver.py
View File

@ -278,7 +278,10 @@ class TestOVNDriver(base.BaseTestCase):
self.assertEqual(len(pg_dict["acls"]), info_args[1])
self.assertEqual(len(pg_dict["acls"]) - 2, info_args[2])
self.assertEqual(len(pg_dict["acls"]), info_args[3])
self.assertEqual(len(pg_dict["acls"]), self._nb_ovn.db_set.call_count)
self.assertEqual(len(pg_dict["acls"]),
self._nb_ovn.db_set.call_count)
self.assertEqual(len(pg_dict["acls"]),
self._nb_ovn.db_remove.call_count)
@mock.patch.object(ovn_driver.LOG, 'info')
def test__remove_acls_log_missing_acls(self, m_info):

6
releasenotes/notes/sgl-log-related-traffic-ovn-96b304ab744de13e.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Neutron can record full connection using log-related feature introduced in
OVN 21.12.
For more info see `bug LP#<https://bugs.launchpad.net/neutron/+bug/2003706>`