On Thu, Jul 27, 2017 at 5:59 PM, Justin Pettit <jpet...@ovn.org> wrote: > > > It seems "invalid" packets won't get logged in this patch. I think it would be useful: in addition to log packets per-ACL, enable logging for packets returned as "invalid" state from conntrack. It can be a global configuration to enable/disable this behavior. > > That's a great point. I'd meant to do that when I started this series, but forgot along the way. I think we need more than just logging for invalid packets, though, so I'll add that as a follow-up patch. > Sure, I am ok with a follow-up patch. But I wonder what else is needed for invalid packets beside logging? We are dropping them already.
> > > static void > > > +pinctrl_handle_log(struct dp_packet *packet OVS_UNUSED, > > > > Why need this parameter if it is not useful? > > Fixed. > > > > + const struct flow *headers, > > > + struct ofpbuf *userdata) > > > +{ > > > + struct log_pin_header *lph = ofpbuf_try_pull(userdata, sizeof *lph); > > > + if (!lph) { > > > + VLOG_WARN("log data missing"); > > > + return; > > > + } > > > + > > > + int name_len = ntohs(lph->name_len); > > > + char *name = xmalloc(name_len+1); > > > + if (name_len) { > > > + char *tmp_name = ofpbuf_try_pull(userdata, name_len); > > > + if (!name) { > > > > It should be: if (!tmp_name) > > Good catch. Fixed. > > > > + VLOG_WARN("name missing"); > > > + free(name); > > > + return; > > > + } > > > + memcpy(name, tmp_name, name_len); > > > + } > > > + name[name_len] = '\0'; > > > + > > > + char *packet_str = flow_to_string(headers, NULL); > > > + VLOG_INFO("ACL name=%s, verdict=%s, severity=%s, packet=\"%s\"", > > > > The log action may be more generic than just for ACL. So would it better to avoid hardcode "ACL" here in the message? "ACL" could be indicated in verdict instead, since there could be more use cases that need packet logging in the future. > > These are part of the ACL infrastructure, so I'd think ACL makes sense. I also wanted to give some sort of handle that someone can easily grep through the logs. Do you have a specific suggestion? > I'd suggest to have a more general keyword e.g. "LOG", and include the "ACL" keyword in the verdict itself, i.e. generated by log_verdict_to_string(). So user can grep "LOG" for all packet logging, and grep "ACL" for all ACL related packet logging. > > > +enum log_verdict { > > > + LOG_VERDICT_ALLOW, > > > + LOG_VERDICT_DROP, > > > + LOG_VERDICT_REJECT, > > > > Better to be LOG_VERDICT_ACL_ALLOW, LOG_VERDICT_ACL_DROP, LOG_VERDICT_ACL_REJECT, so that in the future we can support other use cases for logging. > > Do you have an example or two of the type of thing you think we might need in the future? If it needs to be that flexible, we could just pass around strings, but I do worry about passing too much data through the datapath upcall mechanism. > I have no real example yet. But since the action is defined as "log" instead of "acl_log", I think it makes sense to be more generic. I don't think we need to be more flexible but just make it more extensible. I don't have strong opinion though. Maybe we can change it in the future if new type of logging is needed. Or maybe there is use case from someone else? > > > static void > > > +build_acl_log(struct ds *actions, const struct nbrec_acl *acl) > > > +{ > > > + if (!acl->log) { > > > + return; > > > + } > > > + > > > + ds_put_cstr(actions, "log("); > > > + > > > + if (acl->name) { > > > + ds_put_format(actions, "name=\"%s\", ", acl->name); > > > > Would it be good to use first byte of ACL uuid (which is also used as stage_hint) when name is empty? > > That's an interesting idea, but I have mixed feelings about it. The first byte would only allow 16 different identifiers, but I think generally people have many more. We could use more bytes from the UUID, but these logs could last quite a while, so it may cause confusion if they've changed, and people are trying to correlate them later. Obviously, if they really want to correlate them, they should use a name, but I wonder if it would be just useful enough to be frustrating. > Sorry, I meant first 8 bytes, not just one :). Existing deployment may already (e.g. openstack) stored information in external-ids, which could be used to correlate. However, I agree with you that it is better to have exactly one behavior. > > > > > > + <column name="severity"> > > > <p> > > > - Logging is not yet implemented. > > > + When <ref column="log"/> is <code>true</code> indicates the > > > + severity of the ACL. The severity levels match those of syslog > > > > s/severity of the ACL/severity of the log/ because ACL doesn't have severity. > > I'm worried that that phrasing may indicate that it's the level it will logged at, when it's really just an indication by the user about how concerned they are with this ACL (or whatever you want to call it) entry. OK. I don't know why I was under the impression it was for the log level. Checked the code again and I realized it is actually just a keyword in the log. Now I am not sure if this key word is really useful, because I really don't think ACL has severity. If user is more concerned about one ACL over another, they can anyway figure out from the correlation. BTW, I have another point for this code: + VLOG_INFO("ACL name=%s, verdict=%s, severity=%s, packet=\"%s\"", + name_len ? name : "<unnamed>", + log_verdict_to_string(lph->verdict), + log_severity_to_string(lph->severity), packet_str); I think we need ratelimit for the log itself. It can be configurable through local ovsdb for the ovn-controller. It is not critical, but I think it is good to have. (I have some code for that already so I can come up with a follow-up patch if you don't mind). > > > > @@ -332,7 +333,7 @@ Logical switch commands:\n\ > > > ls-list print the names of all logical switches\n\ > > > \n\ > > > ACL commands:\n\ > > > - acl-add SWITCH DIRECTION PRIORITY MATCH ACTION [log]\n\ > > > + acl-add [--log] SWITCH DIRECTION PRIORITY MATCH ACTION\n\ > > > > The optional "name" and "severity" are missing in the help message. > > Yes, I was running out of space on an 80-column terminal. I think we have other examples of dropping non-essential parameters. I'll poke around to see what other project do. > > > Acked-by: Han Zhou <zhou...@gmail.com> > > Thanks! > > --Justin > > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev