openstack
/
neutron
Code Issues Proposed changes

Merge "Add custom ethertype processing" into stable/queens

This commit is contained in:
Zuul 2019-07-04 17:02:07 +00:00 committed by Gerrit Code Review
parent 532c2f7939 51d71097c9
commit 2b2e62d612
3 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
neutron/agent/linux/openvswitch_firewall/firewall.py
View File

@ -22,6 +22,7 @@ from neutron_lib.callbacks import events as callbacks_events
from neutron_lib.callbacks import registry as callbacks_registry from neutron_lib.callbacks import registry as callbacks_registry
from neutron_lib.callbacks import resources as callbacks_resources from neutron_lib.callbacks import resources as callbacks_resources
from neutron_lib import constants as lib_const from neutron_lib import constants as lib_const
from oslo_config import cfg
from oslo_log import log as logging from oslo_log import log as logging
from oslo_utils import netutils from oslo_utils import netutils
@ -394,6 +395,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
applied applied
""" """
self.permitted_ethertypes = cfg.CONF.SECURITYGROUP.permitted_ethertypes
self.int_br = self.initialize_bridge(integration_bridge) self.int_br = self.initialize_bridge(integration_bridge)
self.sg_port_map = SGPortMap() self.sg_port_map = SGPortMap()
self.conj_ip_manager = ConjIPFlowManager(self) self.conj_ip_manager = ConjIPFlowManager(self)
@ -992,6 +994,26 @@ class OVSFirewallDriver(firewall.FirewallDriver):
reg_port=port.ofport, reg_port=port.ofport,
actions='output:{:d}'.format(port.ofport) actions='output:{:d}'.format(port.ofport)
) )
# Allow custom ethertypes
for permitted_ethertype in self.permitted_ethertypes:
if permitted_ethertype[:2] == '0x':
try:
hex_ethertype = hex(int(permitted_ethertype, base=16))
self._add_flow(
table=ovs_consts.BASE_INGRESS_TABLE,
priority=100,
dl_type=hex_ethertype,
reg_port=port.ofport,
actions='output:{:d}'.format(port.ofport)
)
continue
except ValueError:
pass
LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
"a hexadecimal number.",
{'permitted_ethertype': permitted_ethertype})
self._initialize_ingress_ipv6_icmp(port) self._initialize_ingress_ipv6_icmp(port)
# DHCP offers # DHCP offers

8
neutron/conf/agent/securitygroups_rpc.py
View File

@ -36,7 +36,13 @@ security_group_opts = [
default=True, default=True,
help=_('Use ipset to speed-up the iptables based security groups. ' help=_('Use ipset to speed-up the iptables based security groups. '
'Enabling ipset support requires that ipset is installed on L2 ' 'Enabling ipset support requires that ipset is installed on L2 '
'agent node.')) 'agent node.')),
cfg.ListOpt(
'permitted_ethertypes',
default=[],
help=_('Comma-separated list of ethertypes to be permitted, in '
'hexadecimal (starting with "0x"). For example, "0x4008" '
'to permit InfiniBand.'))
] ]

9
releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml Normal file
View File

@ -0,0 +1,9 @@
---
security:
- |
The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6
ethertypes at present. This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus does
not address other ethertypes. There is now a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes and
then ensures that the requested ethertypes are permitted on initialization.