diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index 3be0714513f..9e563e252b0 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -22,6 +22,7 @@ from neutron_lib.callbacks import events as callbacks_events from neutron_lib.callbacks import registry as callbacks_registry from neutron_lib.callbacks import resources as callbacks_resources from neutron_lib import constants as lib_const +from oslo_config import cfg from oslo_log import log as logging from oslo_utils import netutils @@ -394,6 +395,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): applied """ + self.permitted_ethertypes = cfg.CONF.SECURITYGROUP.permitted_ethertypes self.int_br = self.initialize_bridge(integration_bridge) self.sg_port_map = SGPortMap() self.conj_ip_manager = ConjIPFlowManager(self) @@ -992,6 +994,26 @@ class OVSFirewallDriver(firewall.FirewallDriver): reg_port=port.ofport, actions='output:{:d}'.format(port.ofport) ) + + # Allow custom ethertypes + for permitted_ethertype in self.permitted_ethertypes: + if permitted_ethertype[:2] == '0x': + try: + hex_ethertype = hex(int(permitted_ethertype, base=16)) + self._add_flow( + table=ovs_consts.BASE_INGRESS_TABLE, + priority=100, + dl_type=hex_ethertype, + reg_port=port.ofport, + actions='output:{:d}'.format(port.ofport) + ) + continue + except ValueError: + pass + LOG.warning("Custom ethertype %(permitted_ethertype)s is not " + "a hexadecimal number.", + {'permitted_ethertype': permitted_ethertype}) + self._initialize_ingress_ipv6_icmp(port) # DHCP offers diff --git a/neutron/conf/agent/securitygroups_rpc.py b/neutron/conf/agent/securitygroups_rpc.py index b49592efd38..94d3e12f2e2 100644 --- a/neutron/conf/agent/securitygroups_rpc.py +++ b/neutron/conf/agent/securitygroups_rpc.py @@ -36,7 +36,13 @@ security_group_opts = [ default=True, help=_('Use ipset to speed-up the iptables based security groups. ' 'Enabling ipset support requires that ipset is installed on L2 ' - 'agent node.')) + 'agent node.')), + cfg.ListOpt( + 'permitted_ethertypes', + default=[], + help=_('Comma-separated list of ethertypes to be permitted, in ' + 'hexadecimal (starting with "0x"). For example, "0x4008" ' + 'to permit InfiniBand.')) ] diff --git a/releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml b/releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml new file mode 100644 index 00000000000..43d7c9d7499 --- /dev/null +++ b/releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml @@ -0,0 +1,9 @@ +--- +security: + - | + The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 + ethertypes at present. This is a behavior change compared to the + iptables_hybrid firewall, which only operates on IP packets and thus does + not address other ethertypes. There is now a configuration option in the + neutron openvswitch agent configuration file for permitted ethertypes and + then ensures that the requested ethertypes are permitted on initialization.