Add custom ethertype processing

The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present.  This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.

This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization.  This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.

Change-Id: Ide78b0b90cf6d6069ce3787fc60766be52062da0
Related-Bug: #1832758
(cherry picked from commit 9ea6a61)

neutron/agent/linux/openvswitch_firewall/firewall.py

@@ -22,6 +22,7 @@
 from neutron_lib.callbacks import registry as callbacks_registry
 from neutron_lib.callbacks import resources as callbacks_resources
 from neutron_lib import constants as lib_const
+from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import netutils
 
@@ -394,6 +395,7 @@ def __init__(self, integration_bridge):
                                    applied
 
         """
+        self.permitted_ethertypes = cfg.CONF.SECURITYGROUP.permitted_ethertypes
         self.int_br = self.initialize_bridge(integration_bridge)
         self.sg_port_map = SGPortMap()
         self.conj_ip_manager = ConjIPFlowManager(self)
@@ -992,6 +994,26 @@ def _initialize_ingress(self, port):
             reg_port=port.ofport,
             actions='output:{:d}'.format(port.ofport)
         )
+
+        # Allow custom ethertypes
+        for permitted_ethertype in self.permitted_ethertypes:
+            if permitted_ethertype[:2] == '0x':
+                try:
+                    hex_ethertype = hex(int(permitted_ethertype, base=16))
+                    self._add_flow(
+                        table=ovs_consts.BASE_INGRESS_TABLE,
+                        priority=100,
+                        dl_type=hex_ethertype,
+                        reg_port=port.ofport,
+                        actions='output:{:d}'.format(port.ofport)
+                    )
+                    continue
+                except ValueError:
+                    pass
+            LOG.warning("Custom ethertype %(permitted_ethertype)s is not "
+                        "a hexadecimal number.",
+                        {'permitted_ethertype': permitted_ethertype})
+
         self._initialize_ingress_ipv6_icmp(port)
 
         # DHCP offers

neutron/conf/agent/securitygroups_rpc.py

@@ -36,7 +36,13 @@
         default=True,
         help=_('Use ipset to speed-up the iptables based security groups. '
                'Enabling ipset support requires that ipset is installed on L2 '
-               'agent node.'))
+               'agent node.')),
+    cfg.ListOpt(
+        'permitted_ethertypes',
+        default=[],
+        help=_('Comma-separated list of ethertypes to be permitted, in '
+               'hexadecimal (starting with "0x"). For example, "0x4008" '
+               'to permit InfiniBand.'))
 ]
 
 

releasenotes/notes/custom_ethertypes-eae3fcab3293e3a1.yaml

@@ -0,0 +1,9 @@
+---
+security:
+  - |
+    The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6
+    ethertypes at present. This is a behavior change compared to the
+    iptables_hybrid firewall, which only operates on IP packets and thus does
+    not address other ethertypes.  There is now a configuration option in the
+    neutron openvswitch agent configuration file for permitted ethertypes and
+    then ensures that the requested ethertypes are permitted on initialization.