openstack/neutron
Code Issues Proposed changes
b2b40b6a8c
neutron/neutron/conf/agent/securitygroups_rpc.py
Nate Johnston 9ea6a61665 Add custom ethertype processing 
The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present.  This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.

This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization.  This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.

Change-Id: Ide78b0b90cf6d6069ce3787fc60766be52062da0
Related-Bug: #1832758
2019-06-28 14:07:16 -04:00

51 lines
1.7 KiB
Python
Raw Blame History

# Copyright 2012, Nachi Ueno, NTT MCL, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
from oslo_config import cfg
from neutron._i18n import _
security_group_opts = [
cfg.StrOpt(
'firewall_driver',
help=_('Driver for security groups firewall in the L2 agent')),
cfg.BoolOpt(
'enable_security_group',
default=True,
help=_(
'Controls whether the neutron security group API is enabled '
'in the server. It should be false when using no security '
'groups or using the nova security group API.')),
cfg.BoolOpt(
'enable_ipset',
default=True,
help=_('Use ipset to speed-up the iptables based security groups. '
'Enabling ipset support requires that ipset is installed on L2 '
'agent node.')),
cfg.ListOpt(
'permitted_ethertypes',
default=[],
help=_('Comma-separated list of ethertypes to be permitted, in '
'hexadecimal (starting with "0x"). For example, "0x4008" '
'to permit InfiniBand.'))
]
def register_securitygroups_opts(cfg=cfg.CONF):
cfg.register_opts(security_group_opts, 'SECURITYGROUP')
View Git Blame Copy Permalink