See bellow....
On 28/09/2021 17:10, Numan Siddique wrote:
On Tue, Sep 28, 2021 at 11:17 AM Brendan Doyle <[email protected]> wrote:
Also the ovn-controller proc is running with file log level info, which
I would have taken that only
ovn logs greater than info would have been logged:
ovn-controller unix:/run/openvswitch/db.sock -vconsole:emer -vsyslog:err
-vfile:info
On 28/09/2021 15:04, Brendan Doyle wrote:
Folks,
I can't find anything in docs on how this is supposed to work, but I
would have assumed
that if I set the ACL severity to 'alert; then I would only get a log,
if a pkt were dropped.
So for example i have an ACL rule:
to-lport 27000 (outport == @pg_vcn3_net1_sl3 && ip4.src ==
192.16.1.0/24 && udp.dst == 111) allow-related
log(name=fss-14,severity=alert)
I don't want to see logs for pkts that match this, but I do:
ovn-controller.log:2021-09-28T13:32:25.759Z|00023|acl_log(ovn_pinctrl0)|INFO|name="fss-14",
verdict=allow, severity=alert:
udp,vlan_tci=0x0000,dl_src=40:44:00:00:00:a0,dl_dst=40:44:00:00:05:00,nw_src=192.16.1.6,nw_dst=192.16.1.106,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=825,tp_dst=111
Is this the expected behavior?
Yes. This is the expected behavior. Basically if an ACL is matched,
then it is logged if 'log' flag is set.
https://urldefense.com/v3/__https://github.com/ovn-org/ovn/blob/master/lib/acl-log.c*L79__;Iw!!ACWV5N9M2RV99hQ!Y5aVoMmcYeloWbh3ro5k8Bs3jJVd6iWxcQNNMqLtwiIG354MeFFy2JUYE2O4iXdjvP4$
Please see
https://urldefense.com/v3/__https://www.ovn.org/support/dist-docs/ovn-nb.5.html__;!!ACWV5N9M2RV99hQ!Y5aVoMmcYeloWbh3ro5k8Bs3jJVd6iWxcQNNMqLtwiIG354MeFFy2JUYE2O4O8MGOl4$
and
look for logging in ACL table section
-----
Logging:
These columns control whether and how OVN logs packets that match an
ACL.
log: boolean
If set to true, packets that match the ACL will trigger a log
message on the transport node or nodes that perform ACL process‐
ing. Logging may be combined with any action.
If set to false, the remaining columns in this group have no
significance.
name: optional string, at most 63 characters long
This name, if it is provided, is included in log records. It
provides the administrator and the cloud management system a way
to associate a log record with a particular ACL.
severity: optional string, one of alert, debug, info, notice, or warn‐
ing
The severity of the ACL. The severity levels match those of sys‐
log, in decreasing level of severity: alert, warning, notice,
info, or debug. When the column is empty, the default is info.
meter: optional string
The name of a meter to rate-limit log messages for the ACL. The
string must match the name column of a row in the Meter table.
By default, log messages are not rate-limited. In order to
ensure that the same Meter rate limits multiple ACL logs sepa‐
rately, set the fair column.
----
And I don't think the log level of ACL is to match the log level set
on ovn-controller logging.
That's a pity, just wondering what use 'severity' is then?
Thanks
Numan
And if so is the option to avoid ovn-controller.log filling up to
either not log allowed matches or to rate limit them
Thanks
Brendan
_______________________________________________
discuss mailing list
[email protected]
https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!YD0EnKUmIwzV5ohd5PE93cJYjgF8LSeK8Qx5W4gG6mCbAsWsEKZQj3qx4XHPnd-OJZw$
_______________________________________________
discuss mailing list
[email protected]
https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!Y5aVoMmcYeloWbh3ro5k8Bs3jJVd6iWxcQNNMqLtwiIG354MeFFy2JUYE2O4rXxKI3U$
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
