9ea6a61665
The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. This is a lightweight change that sets a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization. This addresses the security and usability concerns on both master and stable branches while a full-fledged extension to the security groups API is considered. Change-Id: Ide78b0b90cf6d6069ce3787fc60766be52062da0 Related-Bug: #1832758
51 lines
1.7 KiB
Python
51 lines
1.7 KiB
Python
# Copyright 2012, Nachi Ueno, NTT MCL, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
|
|
from oslo_config import cfg
|
|
|
|
from neutron._i18n import _
|
|
|
|
|
|
security_group_opts = [
|
|
cfg.StrOpt(
|
|
'firewall_driver',
|
|
help=_('Driver for security groups firewall in the L2 agent')),
|
|
cfg.BoolOpt(
|
|
'enable_security_group',
|
|
default=True,
|
|
help=_(
|
|
'Controls whether the neutron security group API is enabled '
|
|
'in the server. It should be false when using no security '
|
|
'groups or using the nova security group API.')),
|
|
cfg.BoolOpt(
|
|
'enable_ipset',
|
|
default=True,
|
|
help=_('Use ipset to speed-up the iptables based security groups. '
|
|
'Enabling ipset support requires that ipset is installed on L2 '
|
|
'agent node.')),
|
|
cfg.ListOpt(
|
|
'permitted_ethertypes',
|
|
default=[],
|
|
help=_('Comma-separated list of ethertypes to be permitted, in '
|
|
'hexadecimal (starting with "0x"). For example, "0x4008" '
|
|
'to permit InfiniBand.'))
|
|
]
|
|
|
|
|
|
def register_securitygroups_opts(cfg=cfg.CONF):
|
|
cfg.register_opts(security_group_opts, 'SECURITYGROUP')
|