Merge "Add custom ethertype processing"

This commit is contained in:
Zuul 2019-07-01 11:00:55 +00:00 committed by Gerrit Code Review
commit 49c67014c2
3 changed files with 38 additions and 1 deletions
neutron
agent/linux/openvswitch_firewall
conf/agent
releasenotes/notes

@ -22,6 +22,7 @@ from neutron_lib.callbacks import events as callbacks_events
from neutron_lib.callbacks import registry as callbacks_registry
from neutron_lib.callbacks import resources as callbacks_resources
from neutron_lib import constants as lib_const
from oslo_config import cfg
from oslo_log import log as logging
from oslo_utils import netutils
@ -395,6 +396,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
applied
"""
self.permitted_ethertypes = cfg.CONF.SECURITYGROUP.permitted_ethertypes
self.int_br = self.initialize_bridge(integration_bridge)
self.sg_port_map = SGPortMap()
self.conj_ip_manager = ConjIPFlowManager(self)
@ -999,6 +1001,26 @@ class OVSFirewallDriver(firewall.FirewallDriver):
reg_port=port.ofport,
actions='output:{:d}'.format(port.ofport)
)
# Allow custom ethertypes
for permitted_ethertype in self.permitted_ethertypes:
if permitted_ethertype[:2] == '0x':
try:
hex_ethertype = hex(int(permitted_ethertype, base=16))
self._add_flow(
table=ovs_consts.BASE_INGRESS_TABLE,
priority=100,
dl_type=hex_ethertype,
reg_port=port.ofport,
actions='output:{:d}'.format(port.ofport)
)
continue
except ValueError:
pass
LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
"a hexadecimal number.",
{'permitted_ethertype': permitted_ethertype})
self._initialize_ingress_ipv6_icmp(port)
# DHCP offers

@ -36,7 +36,13 @@ security_group_opts = [
default=True,
help=_('Use ipset to speed-up the iptables based security groups. '
'Enabling ipset support requires that ipset is installed on L2 '
'agent node.'))
'agent node.')),
cfg.ListOpt(
'permitted_ethertypes',
default=[],
help=_('Comma-separated list of ethertypes to be permitted, in '
'hexadecimal (starting with "0x"). For example, "0x4008" '
'to permit InfiniBand.'))
]

@ -0,0 +1,9 @@
---
security:
- |
The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6
ethertypes at present. This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus does
not address other ethertypes. There is now a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes and
then ensures that the requested ethertypes are permitted on initialization.