Merge "OVS flows for custom ethertypes must be on EGRESS"
This commit is contained in:
Zuul
@@ -899,6 +899,27 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||
actions='resubmit(,%d)' % ovs_consts.DROPPED_TRAFFIC_TABLE
|
||||
)
|
||||
|
||||
# Allow custom ethertypes
|
||||
for permitted_ethertype in self.permitted_ethertypes:
|
||||
if permitted_ethertype[:2] == '0x':
|
||||
try:
|
||||
hex_ethertype = hex(int(permitted_ethertype, base=16))
|
||||
action = ('resubmit(,%d)' %
|
||||
ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)
|
||||
self._add_flow(
|
||||
table=ovs_consts.BASE_EGRESS_TABLE,
|
||||
priority=95,
|
||||
dl_type=hex_ethertype,
|
||||
reg_port=port.ofport,
|
||||
actions=action
|
||||
)
|
||||
continue
|
||||
except ValueError:
|
||||
pass
|
||||
LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
|
||||
"a hexadecimal number.",
|
||||
{'permitted_ethertype': permitted_ethertype})
|
||||
|
||||
# Drop all remaining egress connections
|
||||
self._add_flow(
|
||||
table=ovs_consts.BASE_EGRESS_TABLE,
|
||||
@@ -1015,25 +1036,6 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
|
||||
# Allow custom ethertypes
|
||||
for permitted_ethertype in self.permitted_ethertypes:
|
||||
if permitted_ethertype[:2] == '0x':
|
||||
try:
|
||||
hex_ethertype = hex(int(permitted_ethertype, base=16))
|
||||
self._add_flow(
|
||||
table=ovs_consts.BASE_INGRESS_TABLE,
|
||||
priority=100,
|
||||
dl_type=hex_ethertype,
|
||||
reg_port=port.ofport,
|
||||
actions='output:{:d}'.format(port.ofport)
|
||||
)
|
||||
continue
|
||||
except ValueError:
|
||||
pass
|
||||
LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
|
||||
"a hexadecimal number.",
|
||||
{'permitted_ethertype': permitted_ethertype})
|
||||
|
||||
self._initialize_ingress_ipv6_icmp(port)
|
||||
|
||||
# DHCP offers
|
||||
|
||||
Reference in New Issue
Block a user