From 9ea6a616658268b833ccb787c181962898863058 Mon Sep 17 00:00:00 2001 From: Nate Johnston Date: Fri, 28 Jun 2019 14:03:28 -0400 Subject: [PATCH] Add custom ethertype processing The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. This is a lightweight change that sets a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization. This addresses the security and usability concerns on both master and stable branches while a full-fledged extension to the security groups API is considered. Change-Id: Ide78b0b90cf6d6069ce3787fc60766be52062da0 Related-Bug: #1832758 --- .../linux/openvswitch_firewall/firewall.py | 22 +++++++++++++++++++ neutron/conf/agent/securitygroups_rpc.py | 8 ++++++- .../custom_ethertypes-eae3fcab3293e3a1.yaml | 9 ++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index 8e7a35b7893..220e7aadc8f 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -22,6 +22,7 @@ from neutron_lib.callbacks import events as callbacks_events from neutron_lib.callbacks import registry as callbacks_registry from neutron_lib.callbacks import resources as callbacks_resources from neutron_lib import constants as lib_const +from oslo_config import cfg from oslo_log import log as logging from oslo_utils import netutils @@ -395,6 +396,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): applied """ + self.permitted_ethertypes = cfg.CONF.SECURITYGROUP.permitted_ethertypes self.int_br = self.initialize_bridge(integration_bridge) self.sg_port_map = SGPortMap() self.conj_ip_manager = ConjIPFlowManager(self) @@ -999,6 +1001,26 @@ class OVSFirewallDriver(firewall.FirewallDriver): reg_port=port.ofport, actions='output:{:d}'.format(port.ofport) ) + + # Allow custom ethertypes + for permitted_ethertype in self.permitted_ethertypes: + if permitted_ethertype[:2] == '0x': + try: + hex_ethertype = hex(int(permitted_ethertype, base=16)) + self._add_flow( + table=ovs_consts.BASE_INGRESS_TABLE, + priority=100, + dl_type=hex_ethertype, + reg_port=port.ofport, + actions='output:{:d}'.format(port.ofport) + ) + continue + except ValueError: + pass + LOG.warning("Custom ethertype %(permitted_ethertype)s is not " + "a hexadecimal number.", + {'permitted_ethertype': permitted_ethertype}) + self._initialize_ingress_ipv6_icmp(port) # DHCP offers diff --git a/neutron/conf/agent/securitygroups_rpc.py b/neutron/conf/agent/securitygroups_rpc.py index b49592efd38..94d3e12f2e2 100644 --- a/neutron/conf/agent/securitygroups_rpc.py +++ b/neutron/conf/agent/securitygroups_rpc.py @@ -36,7 +36,13 @@ security_group_opts = [ default=True, help=_('Use ipset to speed-up the iptables based security groups. ' 'Enabling ipset support requires that ipset is installed on L2 ' - 'agent node.')) + 'agent node.')), + cfg.ListOpt( + 'permitted_ethertypes', + default=[], + help=_('Comma-separated list of ethertypes to be permitted, in ' + 'hexadecimal (starting with "0x"). For example, "0x4008" ' + 'to permit InfiniBand.')) ] diff --git a/releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml b/releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml new file mode 100644 index 00000000000..43d7c9d7499 --- /dev/null +++ b/releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml @@ -0,0 +1,9 @@ +--- +security: + - | + The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 + ethertypes at present. This is a behavior change compared to the + iptables_hybrid firewall, which only operates on IP packets and thus does + not address other ethertypes. There is now a configuration option in the + neutron openvswitch agent configuration file for permitted ethertypes and + then ensures that the requested ethertypes are permitted on initialization.