Browse Source

Merge "Add custom ethertype processing" into stable/queens

changes/12/663712/2
Zuul 2 months ago
parent
commit
2b2e62d612

+ 22
- 0
neutron/agent/linux/openvswitch_firewall/firewall.py View File

@@ -22,6 +22,7 @@ from neutron_lib.callbacks import events as callbacks_events
22 22
 from neutron_lib.callbacks import registry as callbacks_registry
23 23
 from neutron_lib.callbacks import resources as callbacks_resources
24 24
 from neutron_lib import constants as lib_const
25
+from oslo_config import cfg
25 26
 from oslo_log import log as logging
26 27
 from oslo_utils import netutils
27 28
 
@@ -394,6 +395,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
394 395
                                    applied
395 396
 
396 397
         """
398
+        self.permitted_ethertypes = cfg.CONF.SECURITYGROUP.permitted_ethertypes
397 399
         self.int_br = self.initialize_bridge(integration_bridge)
398 400
         self.sg_port_map = SGPortMap()
399 401
         self.conj_ip_manager = ConjIPFlowManager(self)
@@ -992,6 +994,26 @@ class OVSFirewallDriver(firewall.FirewallDriver):
992 994
             reg_port=port.ofport,
993 995
             actions='output:{:d}'.format(port.ofport)
994 996
         )
997
+
998
+        # Allow custom ethertypes
999
+        for permitted_ethertype in self.permitted_ethertypes:
1000
+            if permitted_ethertype[:2] == '0x':
1001
+                try:
1002
+                    hex_ethertype = hex(int(permitted_ethertype, base=16))
1003
+                    self._add_flow(
1004
+                        table=ovs_consts.BASE_INGRESS_TABLE,
1005
+                        priority=100,
1006
+                        dl_type=hex_ethertype,
1007
+                        reg_port=port.ofport,
1008
+                        actions='output:{:d}'.format(port.ofport)
1009
+                    )
1010
+                    continue
1011
+                except ValueError:
1012
+                    pass
1013
+            LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
1014
+                        "a hexadecimal number.",
1015
+                        {'permitted_ethertype': permitted_ethertype})
1016
+
995 1017
         self._initialize_ingress_ipv6_icmp(port)
996 1018
 
997 1019
         # DHCP offers

+ 7
- 1
neutron/conf/agent/securitygroups_rpc.py View File

@@ -36,7 +36,13 @@ security_group_opts = [
36 36
         default=True,
37 37
         help=_('Use ipset to speed-up the iptables based security groups. '
38 38
                'Enabling ipset support requires that ipset is installed on L2 '
39
-               'agent node.'))
39
+               'agent node.')),
40
+    cfg.ListOpt(
41
+        'permitted_ethertypes',
42
+        default=[],
43
+        help=_('Comma-separated list of ethertypes to be permitted, in '
44
+               'hexadecimal (starting with "0x"). For example, "0x4008" '
45
+               'to permit InfiniBand.'))
40 46
 ]
41 47
 
42 48
 

+ 9
- 0
releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml View File

@@ -0,0 +1,9 @@
1
+---
2
+security:
3
+  - |
4
+    The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6
5
+    ethertypes at present. This is a behavior change compared to the
6
+    iptables_hybrid firewall, which only operates on IP packets and thus does
7
+    not address other ethertypes.  There is now a configuration option in the
8
+    neutron openvswitch agent configuration file for permitted ethertypes and
9
+    then ensures that the requested ethertypes are permitted on initialization.

Loading…
Cancel
Save