Merge "Add custom ethertype processing" into stable/queens
This commit is contained in:
commit
2b2e62d612
|
@ -22,6 +22,7 @@ from neutron_lib.callbacks import events as callbacks_events
|
||||||
from neutron_lib.callbacks import registry as callbacks_registry
|
from neutron_lib.callbacks import registry as callbacks_registry
|
||||||
from neutron_lib.callbacks import resources as callbacks_resources
|
from neutron_lib.callbacks import resources as callbacks_resources
|
||||||
from neutron_lib import constants as lib_const
|
from neutron_lib import constants as lib_const
|
||||||
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import netutils
|
from oslo_utils import netutils
|
||||||
|
|
||||||
|
@ -394,6 +395,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||||
applied
|
applied
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
self.permitted_ethertypes = cfg.CONF.SECURITYGROUP.permitted_ethertypes
|
||||||
self.int_br = self.initialize_bridge(integration_bridge)
|
self.int_br = self.initialize_bridge(integration_bridge)
|
||||||
self.sg_port_map = SGPortMap()
|
self.sg_port_map = SGPortMap()
|
||||||
self.conj_ip_manager = ConjIPFlowManager(self)
|
self.conj_ip_manager = ConjIPFlowManager(self)
|
||||||
|
@ -992,6 +994,26 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||||
reg_port=port.ofport,
|
reg_port=port.ofport,
|
||||||
actions='output:{:d}'.format(port.ofport)
|
actions='output:{:d}'.format(port.ofport)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Allow custom ethertypes
|
||||||
|
for permitted_ethertype in self.permitted_ethertypes:
|
||||||
|
if permitted_ethertype[:2] == '0x':
|
||||||
|
try:
|
||||||
|
hex_ethertype = hex(int(permitted_ethertype, base=16))
|
||||||
|
self._add_flow(
|
||||||
|
table=ovs_consts.BASE_INGRESS_TABLE,
|
||||||
|
priority=100,
|
||||||
|
dl_type=hex_ethertype,
|
||||||
|
reg_port=port.ofport,
|
||||||
|
actions='output:{:d}'.format(port.ofport)
|
||||||
|
)
|
||||||
|
continue
|
||||||
|
except ValueError:
|
||||||
|
pass
|
||||||
|
LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
|
||||||
|
"a hexadecimal number.",
|
||||||
|
{'permitted_ethertype': permitted_ethertype})
|
||||||
|
|
||||||
self._initialize_ingress_ipv6_icmp(port)
|
self._initialize_ingress_ipv6_icmp(port)
|
||||||
|
|
||||||
# DHCP offers
|
# DHCP offers
|
||||||
|
|
|
@ -36,7 +36,13 @@ security_group_opts = [
|
||||||
default=True,
|
default=True,
|
||||||
help=_('Use ipset to speed-up the iptables based security groups. '
|
help=_('Use ipset to speed-up the iptables based security groups. '
|
||||||
'Enabling ipset support requires that ipset is installed on L2 '
|
'Enabling ipset support requires that ipset is installed on L2 '
|
||||||
'agent node.'))
|
'agent node.')),
|
||||||
|
cfg.ListOpt(
|
||||||
|
'permitted_ethertypes',
|
||||||
|
default=[],
|
||||||
|
help=_('Comma-separated list of ethertypes to be permitted, in '
|
||||||
|
'hexadecimal (starting with "0x"). For example, "0x4008" '
|
||||||
|
'to permit InfiniBand.'))
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6
|
||||||
|
ethertypes at present. This is a behavior change compared to the
|
||||||
|
iptables_hybrid firewall, which only operates on IP packets and thus does
|
||||||
|
not address other ethertypes. There is now a configuration option in the
|
||||||
|
neutron openvswitch agent configuration file for permitted ethertypes and
|
||||||
|
then ensures that the requested ethertypes are permitted on initialization.
|
Loading…
Reference in New Issue