© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I'm not sure that there are a set of attributes that would properly cover all the variations in the various ethertypes that are possible options here, and I am not possessed of sufficient expertise in them to comment authoritatively. The real objective is to establish a set of ethertypes that are permitted to pass through ingress/egress filtering. It might be as uncomplicated as that: a whitelist of ethertypes would work perfectly well.
The iptables_hybrid firewall takes the approach you indicate. Custom ethertypes operate at a lower level than IP and as such no firewall inspection or control is done to them. If they were to be handled it would need to be ebtables that would be configured to control them. But the OVS firewall does operate at the link level and does block ethertypes other than those allowed by security groups.
Use case: Customer is running an application using InfiniBand (ethertype 0x4008) in OpenStack, and that OpenStack transitions from iptables_hybrid to ovs firewall. The Infiniband traffic is blocked by the ovs firewall, and at present the Neutron API offers no methodology to unblock it.