Merge "Add custom ethertype processing"

2019-07-01 11:00:55 +00:00 · 2019-07-01 11:00:55 +00:00 · 49c67014c2
commit 49c67014c2
parent 54946b7a73 9ea6a61665
3 changed files with 38 additions and 1 deletions
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@ -22,6 +22,7 @@ from neutron_lib.callbacks import events as callbacks_events
 from neutron_lib.callbacks import registry as callbacks_registry
 from neutron_lib.callbacks import resources as callbacks_resources
 from neutron_lib import constants as lib_const
+from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import netutils

@ -395,6 +396,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
                                   applied

        """
+        self.permitted_ethertypes = cfg.CONF.SECURITYGROUP.permitted_ethertypes
        self.int_br = self.initialize_bridge(integration_bridge)
        self.sg_port_map = SGPortMap()
        self.conj_ip_manager = ConjIPFlowManager(self)
@ -999,6 +1001,26 @@ class OVSFirewallDriver(firewall.FirewallDriver):
            reg_port=port.ofport,
            actions='output:{:d}'.format(port.ofport)
        )
+
+        # Allow custom ethertypes
+        for permitted_ethertype in self.permitted_ethertypes:
+            if permitted_ethertype[:2] == '0x':
+                try:
+                    hex_ethertype = hex(int(permitted_ethertype, base=16))
+                    self._add_flow(
+                        table=ovs_consts.BASE_INGRESS_TABLE,
+                        priority=100,
+                        dl_type=hex_ethertype,
+                        reg_port=port.ofport,
+                        actions='output:{:d}'.format(port.ofport)
+                    )
+                    continue
+                except ValueError:
+                    pass
+            LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
+                        "a hexadecimal number.",
+                        {'permitted_ethertype': permitted_ethertype})
+
        self._initialize_ingress_ipv6_icmp(port)

        # DHCP offers
--- a/neutron/conf/agent/securitygroups_rpc.py
+++ b/neutron/conf/agent/securitygroups_rpc.py
@ -36,7 +36,13 @@ security_group_opts = [
        default=True,
        help=_('Use ipset to speed-up the iptables based security groups. '
               'Enabling ipset support requires that ipset is installed on L2 '
-               'agent node.'))
+               'agent node.')),
+    cfg.ListOpt(
+        'permitted_ethertypes',
+        default=[],
+        help=_('Comma-separated list of ethertypes to be permitted, in '
+               'hexadecimal (starting with "0x"). For example, "0x4008" '
+               'to permit InfiniBand.'))
 ]


--- a/releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml
+++ b/releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml
@ -0,0 +1,9 @@
+---
+security:
+  - |
+    The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6
+    ethertypes at present. This is a behavior change compared to the
+    iptables_hybrid firewall, which only operates on IP packets and thus does
+    not address other ethertypes.  There is now a configuration option in the
+    neutron openvswitch agent configuration file for permitted ethertypes and
+    then ensures that the requested ethertypes are permitted on initialization.