openstack/neutron
Code Issues Proposed changes

[OVN] Allow logging all traffic related to an ACL

Browse Source 
Before this patch, we would only get logged the client to server side of
the communication. The OVN allow-related ACL option was implemented [0]
so as to be able to log also the packets that are going from server to
client. This patch implements the addition of that feature in Neutron
and needs OVN version 22.03 or updated 21.12.

[0] https://patchwork.ozlabs.org/project/ovn/patch/20220201141118.1846390-1-mmichels@redhat.com/

Closes-Bug: #2003706
Change-Id: I72d061c333f53e07f6feedec032e2c0b06a61248
Signed-off-by: Elvira García <egarciar@redhat.com>
(cherry picked from commit f7e31b4c0533687622f8f2644c802574e31536f7)
This commit is contained in:
Elvira García 2023-01-19 14:48:23 +01:00 committed by Elvira García Ruiz
parent 931f0af2e3
commit d0d014c598
4 changed files with 48 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
neutron/services/logapi/drivers/ovn/driver.py
View File

@ -11,6 +11,7 @@
# under the License. # under the License.
from collections import namedtuple from collections import namedtuple
import random
from neutron_lib.api.definitions import portbindings from neutron_lib.api.definitions import portbindings
from neutron_lib.callbacks import resources from neutron_lib.callbacks import resources
@ -38,6 +39,7 @@ DRIVER = None
log_cfg.register_log_driver_opts() log_cfg.register_log_driver_opts()
MAX_INT_LABEL = 2**32
SUPPORTED_LOGGING_TYPES = [log_const.SECURITY_GROUP] SUPPORTED_LOGGING_TYPES = [log_const.SECURITY_GROUP]
@ -169,13 +171,20 @@ class OVNDriver(base.DriverBase):
if log_name: if log_name:
if acl.name and acl.name[0] != log_name: if acl.name and acl.name[0] != log_name:
continue continue
columns = {
'log': False,
'meter': [],
'name': [],
'severity': []
}
# TODO(egarciar): There wont be a need to check if label exists
# once minimum version for OVN is >= 22.03
if hasattr(acl, 'label'):
columns['label'] = 0
ovn_txn.add(self.ovn_nb.db_remove(
"ACL", acl_uuid, 'options', 'log-related'))
ovn_txn.add(self.ovn_nb.db_set( ovn_txn.add(self.ovn_nb.db_set(
"ACL", acl_uuid, "ACL", acl_uuid, *columns.items()))
("log", False),
("meter", []),
("name", []),
("severity", [])
))
acl_changes += 1 acl_changes += 1
msg = "Cleared %d, Not found %d (out of %d visited) ACLs" msg = "Cleared %d, Not found %d (out of %d visited) ACLs"
if log_name: if log_name:
@ -191,13 +200,20 @@ class OVNDriver(base.DriverBase):
# skip acls used by a different network log # skip acls used by a different network log
if acl.name and acl.name[0] != log_name: if acl.name and acl.name[0] != log_name:
continue continue
columns = {
'log': acl.action in actions_enabled,
'meter': self.meter_name,
'name': log_name,
'severity': "info"
}
# TODO(egarciar): There wont be a need to check if label exists
# once minimum version for OVN is >= 22.03
if hasattr(acl, "label"):
# Label needs to be an unsigned 32 bit number and not 0.
columns["label"] = random.randrange(1, MAX_INT_LABEL)
columns["options"] = {'log-related': "true"}
ovn_txn.add(self.ovn_nb.db_set( ovn_txn.add(self.ovn_nb.db_set(
"ACL", acl_uuid, "ACL", acl_uuid, *columns.items()))
("log", acl.action in actions_enabled),
("meter", self.meter_name),
("name", log_name),
("severity", "info")
))
acl_changes += 1 acl_changes += 1
LOG.info("Set %d (out of %d visited) ACLs for network log %s", LOG.info("Set %d (out of %d visited) ACLs for network log %s",
acl_changes, acl_visits, log_name) acl_changes, acl_visits, log_name)

10
neutron/tests/functional/services/logapi/drivers/ovn/test_driver.py
View File

@ -151,6 +151,16 @@ class LogApiTestCaseComplex(LogApiTestCaseBase):
acl = self._find_security_group_rule_row_by_id(sgr) acl = self._find_security_group_rule_row_by_id(sgr)
self.assertIsNotNone(acl) self.assertIsNotNone(acl)
self.assertEqual(is_enabled, acl.log) self.assertEqual(is_enabled, acl.log)
if hasattr(acl, "label"):
# Here we compare if there is a name because the log can be
# disabled but disabling a log would not take out the properties
# attached to it.
if acl.name:
self.assertNotEqual(0, acl.label)
self.assertEqual("true", acl.options.get("log-related"))
else:
self.assertEqual(0, acl.label)
self.assertIsNone(acl.options.get("log-related"))
return acl return acl
def _check_acl_log_drop(self, is_enabled=True): def _check_acl_log_drop(self, is_enabled=True):

5
neutron/tests/unit/services/logapi/drivers/ovn/test_driver.py
View File

@ -278,7 +278,10 @@ class TestOVNDriver(base.BaseTestCase):
self.assertEqual(len(pg_dict["acls"]), info_args[1]) self.assertEqual(len(pg_dict["acls"]), info_args[1])
self.assertEqual(len(pg_dict["acls"]) - 2, info_args[2]) self.assertEqual(len(pg_dict["acls"]) - 2, info_args[2])
self.assertEqual(len(pg_dict["acls"]), info_args[3]) self.assertEqual(len(pg_dict["acls"]), info_args[3])
self.assertEqual(len(pg_dict["acls"]), self._nb_ovn.db_set.call_count) self.assertEqual(len(pg_dict["acls"]),
self._nb_ovn.db_set.call_count)
self.assertEqual(len(pg_dict["acls"]),
self._nb_ovn.db_remove.call_count)
@mock.patch.object(ovn_driver.LOG, 'info') @mock.patch.object(ovn_driver.LOG, 'info')
def test__remove_acls_log_missing_acls(self, m_info): def test__remove_acls_log_missing_acls(self, m_info):

6
releasenotes/notes/sgl-log-related-traffic-ovn-96b304ab744de13e.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Neutron can record full connection using log-related feature introduced in
OVN 21.12.
For more info see `bug LP#<https://bugs.launchpad.net/neutron/+bug/2003706>`