[RFE] Allow/deny custom ethertypes in security groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Wishlist
|
Nate Johnston |
Bug Description
Some operators need to allow/deny custom Ethertypes for applications which use their own non-IP traffic (such as for clustering applications). The Security Group API only handles specifying behavior within the IP protocol. With the firewall reference implementation (OVS Firewall) anything other than IPv4 and IPv6 is subject to the default deny. This means OpenStack customers have no options to use OpenStack to permit protocols that use separate ethertypes like InfiniBand and FCoE.
We propose adding to the Security Group API the capability to specify standard security group behaviors (allow, deny) for custom ethertypes, with the aim of implementing these controls in the OVS firewall.
Changed in neutron: | |
importance: | Undecided → Wishlist |
tags: | added: rfe |
Miguel Lavalle (minsel) wrote : | #1 |
Nate Johnston (nate-johnston) wrote : | #2 |
I'm not sure that there are a set of attributes that would properly cover all the variations in the various ethertypes that are possible options here, and I am not possessed of sufficient expertise in them to comment authoritatively. The real objective is to establish a set of ethertypes that are permitted to pass through ingress/egress filtering. It might be as uncomplicated as that: a whitelist of ethertypes would work perfectly well.
The iptables_hybrid firewall takes the approach you indicate. Custom ethertypes operate at a lower level than IP and as such no firewall inspection or control is done to them. If they were to be handled it would need to be ebtables that would be configured to control them. But the OVS firewall does operate at the link level and does block ethertypes other than those allowed by security groups.
Use case: Customer is running an application using InfiniBand (ethertype 0x4008) in OpenStack, and that OpenStack transitions from iptables_hybrid to ovs firewall. The Infiniband traffic is blocked by the ovs firewall, and at present the Neutron API offers no methodology to unblock it.
Miguel Lavalle (minsel) wrote : | #3 |
Let's talk about it in the drivers meeting
tags: |
added: rfe-triaged removed: rfe |
YAMAMOTO Takashi (yamamoto) wrote : | #4 |
YAMAMOTO Takashi (yamamoto) wrote : | #5 |
wrt Nate's point in comment #2, i'm inclined to consider it as a bug in ovs-fw.
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master) | #6 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-specs (master) | #7 |
Related fix proposed to branch: master
Review: https:/
Miguel Lavalle (minsel) wrote : | #8 |
This RFE is approved. The implementation will include the following:
1) Custom ethertypes traffic will be not allowed by default. User has to add rules to the security group to enable them
2) There will be a new API extension
3) A backportable lightweight approach will be implemented using a config option as outlined here: https:/
tags: |
added: rfe-approved removed: rfe-triaged |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master) | #9 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 9ea6a616658268b
Author: Nate Johnston <email address hidden>
Date: Fri Jun 28 14:03:28 2019 -0400
Add custom ethertype processing
The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present. This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.
This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization. This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.
Change-Id: Ide78b0b90cf6d6
Related-Bug: #1832758
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/stein) | #10 |
Related fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/rocky) | #11 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/queens) | #12 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/stein) | #13 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 0be471486bf9579
Author: Nate Johnston <email address hidden>
Date: Fri Jun 28 14:03:28 2019 -0400
Add custom ethertype processing
The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present. This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.
This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization. This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.
Change-Id: Ide78b0b90cf6d6
Related-Bug: #1832758
(cherry picked from commit 9ea6a616658268b
tags: | added: in-stable-stein |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/queens) | #14 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 51d71097c99ad9a
Author: Nate Johnston <email address hidden>
Date: Fri Jun 28 14:03:28 2019 -0400
Add custom ethertype processing
The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present. This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.
This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization. This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.
Change-Id: Ide78b0b90cf6d6
Related-Bug: #1832758
(cherry picked from commit 9ea6a616658268b
tags: | added: in-stable-queens |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/rocky) | #15 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 55a503b4c961816
Author: Nate Johnston <email address hidden>
Date: Fri Jun 28 14:03:28 2019 -0400
Add custom ethertype processing
The OVS Firewall blocks traffic that does not have either the IPv4 or
IPv6 ethertypes at present. This is a behavior change compared to the
iptables_hybrid firewall, which only operates on IP packets and thus
does not address other ethertypes.
This is a lightweight change that sets a configuration option in the
neutron openvswitch agent configuration file for permitted ethertypes
and then ensures that the requested ethertypes are permitted on
initialization. This addresses the security and usability concerns on
both master and stable branches while a full-fledged extension to the
security groups API is considered.
Change-Id: Ide78b0b90cf6d6
Related-Bug: #1832758
(cherry picked from commit 9ea6a616658268b
tags: | added: in-stable-rocky |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master) | #16 |
Fix proposed to branch: master
Review: https:/
Changed in neutron: | |
assignee: | nobody → Nate Johnston (nate-johnston) |
status: | New → In Progress |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-specs (master) | #17 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 2bbb80d049e27bc
Author: Nate Johnston <email address hidden>
Date: Fri Jun 28 16:17:17 2019 -0400
Add spec for custom ethertype feature
This change adds a specification for the change to add control for
custom ethertypes.
Change-Id: I158b1be16fba7b
Related-Bug: #1832758
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master) | #18 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit fb859966f79fc0f
Author: Nate Johnston <email address hidden>
Date: Thu Aug 22 10:13:00 2019 -0400
OVS flows for custom ethertypes must be on EGRESS
Some traffic does not work if the OVS flows to permit custom ethertypes
are not set on the base egress table. If the rule is added to the base
egress table then both ingress and egress work properly. Also move
initialization code to the function to initialize egress.
Related-Bug: #1832758
Change-Id: Ia312fe75df5872
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/stein) | #19 |
Related fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/rocky) | #20 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/queens) | #21 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/stein) | #22 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 9d04e38e8679c3f
Author: Nate Johnston <email address hidden>
Date: Thu Aug 22 10:13:00 2019 -0400
OVS flows for custom ethertypes must be on EGRESS
Some traffic does not work if the OVS flows to permit custom ethertypes
are not set on the base egress table. If the rule is added to the base
egress table then both ingress and egress work properly. Also move
initialization code to the function to initialize egress.
Related-Bug: #1832758
Change-Id: Ia312fe75df5872
(cherry picked from commit fb859966f79fc0f
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/rocky) | #23 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit f88d703efe6a299
Author: Nate Johnston <email address hidden>
Date: Thu Aug 22 10:13:00 2019 -0400
OVS flows for custom ethertypes must be on EGRESS
Some traffic does not work if the OVS flows to permit custom ethertypes
are not set on the base egress table. If the rule is added to the base
egress table then both ingress and egress work properly. Also move
initialization code to the function to initialize egress.
Related-Bug: #1832758
Change-Id: Ia312fe75df5872
(cherry picked from commit fb859966f79fc0f
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/queens) | #24 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 99eaf3eeee415e7
Author: Nate Johnston <email address hidden>
Date: Thu Aug 22 10:13:00 2019 -0400
OVS flows for custom ethertypes must be on EGRESS
Some traffic does not work if the OVS flows to permit custom ethertypes
are not set on the base egress table. If the rule is added to the base
egress table then both ingress and egress work properly. Also move
initialization code to the function to initialize egress.
Related-Bug: #1832758
Change-Id: Ia312fe75df5872
(cherry picked from commit fb859966f79fc0f
Changed in neutron: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master) | #25 |
Related fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master) | #26 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 008277b8c12d994
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100
[OVS] Allow custom ethertype traffic in the ingress table
This patch is a partial revert of [1], reinstantiating the code merged
in [2]. This patch is the complementary to [1]: the traffic with
custom ethertypes is allowed in the ingress processing tables, same
as [1] is allowing all traffic from the virtual machine ports in this
host to leave the node. Both, this patch and [1], are bypassing the
OVS firewall just for the traffic with the configured allowed
ethertypes and just for/to the local ports and MAC addresses.
Any other traffic not coming from a local port or with destination
a local port, will be blocked as is now.
[1]https:/
[2]https:/
Closes-Bug: #2009221
Related-Bug: #1832758
Change-Id: Ib8340d9430b946
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/2023.1) | #27 |
Related fix proposed to branch: stable/2023.1
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/zed) | #28 |
Related fix proposed to branch: stable/zed
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/xena) | #29 |
Related fix proposed to branch: stable/xena
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/wallaby) | #30 |
Related fix proposed to branch: stable/wallaby
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/yoga) | #31 |
Related fix proposed to branch: stable/yoga
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/2023.1) | #32 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.1
commit 17faa288cedcdb7
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100
[OVS] Allow custom ethertype traffic in the ingress table
This patch is a partial revert of [1], reinstantiating the code merged
in [2]. This patch is the complementary to [1]: the traffic with
custom ethertypes is allowed in the ingress processing tables, same
as [1] is allowing all traffic from the virtual machine ports in this
host to leave the node. Both, this patch and [1], are bypassing the
OVS firewall just for the traffic with the configured allowed
ethertypes and just for/to the local ports and MAC addresses.
Any other traffic not coming from a local port or with destination
a local port, will be blocked as is now.
[1]https:/
[2]https:/
Closes-Bug: #2009221
Related-Bug: #1832758
Change-Id: Ib8340d9430b946
(cherry picked from commit 008277b8c12d994
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/zed) | #33 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/zed
commit 138a47bfd62252d
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100
[OVS] Allow custom ethertype traffic in the ingress table
This patch is a partial revert of [1], reinstantiating the code merged
in [2]. This patch is the complementary to [1]: the traffic with
custom ethertypes is allowed in the ingress processing tables, same
as [1] is allowing all traffic from the virtual machine ports in this
host to leave the node. Both, this patch and [1], are bypassing the
OVS firewall just for the traffic with the configured allowed
ethertypes and just for/to the local ports and MAC addresses.
Any other traffic not coming from a local port or with destination
a local port, will be blocked as is now.
[1]https:/
[2]https:/
Closes-Bug: #2009221
Related-Bug: #1832758
Change-Id: Ib8340d9430b946
(cherry picked from commit 008277b8c12d994
tags: | added: in-stable-zed |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/yoga) | #34 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/yoga
commit 8c7f3b61f75368f
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100
[OVS] Allow custom ethertype traffic in the ingress table
This patch is a partial revert of [1], reinstantiating the code merged
in [2]. This patch is the complementary to [1]: the traffic with
custom ethertypes is allowed in the ingress processing tables, same
as [1] is allowing all traffic from the virtual machine ports in this
host to leave the node. Both, this patch and [1], are bypassing the
OVS firewall just for the traffic with the configured allowed
ethertypes and just for/to the local ports and MAC addresses.
Any other traffic not coming from a local port or with destination
a local port, will be blocked as is now.
[1]https:/
[2]https:/
Conflicts:
Closes-Bug: #2009221
Related-Bug: #1832758
Change-Id: Ib8340d9430b946
(cherry picked from commit 008277b8c12d994
(cherry picked from commit 5026d805fe01aaf
tags: | added: in-stable-yoga |
tags: | added: in-stable-xena |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/xena) | #35 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/xena
commit 1e244c57c51f02a
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100
[OVS] Allow custom ethertype traffic in the ingress table
This patch is a partial revert of [1], reinstantiating the code merged
in [2]. This patch is the complementary to [1]: the traffic with
custom ethertypes is allowed in the ingress processing tables, same
as [1] is allowing all traffic from the virtual machine ports in this
host to leave the node. Both, this patch and [1], are bypassing the
OVS firewall just for the traffic with the configured allowed
ethertypes and just for/to the local ports and MAC addresses.
Any other traffic not coming from a local port or with destination
a local port, will be blocked as is now.
[1]https:/
[2]https:/
Conflicts:
Closes-Bug: #2009221
Related-Bug: #1832758
Change-Id: Ib8340d9430b946
(cherry picked from commit 008277b8c12d994
tags: | added: in-stable-wallaby |
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/wallaby) | #36 |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/wallaby
commit f5b6c2afd8c4d4c
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Sun Mar 5 22:12:55 2023 +0100
[OVS] Allow custom ethertype traffic in the ingress table
This patch is a partial revert of [1], reinstantiating the code merged
in [2]. This patch is the complementary to [1]: the traffic with
custom ethertypes is allowed in the ingress processing tables, same
as [1] is allowing all traffic from the virtual machine ports in this
host to leave the node. Both, this patch and [1], are bypassing the
OVS firewall just for the traffic with the configured allowed
ethertypes and just for/to the local ports and MAC addresses.
Any other traffic not coming from a local port or with destination
a local port, will be blocked as is now.
[1]https:/
[2]https:/
Conflicts:
Closes-Bug: #2009221
Related-Bug: #1832758
Change-Id: Ib8340d9430b946
(cherry picked from commit 008277b8c12d994
(cherry picked from commit 5026d805fe01aaf
If I look at the security group rules API attributes (https:/ /developer. openstack. org/api- ref/network/ v2/index. html?expanded= create- security- group-rule- detail# id416), clearly a several of them exist under the assumption of IP protocols: protocol, port ranges, remote ip prefix. If we allow other ethertypes,
1) Won't many of them require additional specific attributes in the API to allow the user to specify the behavior she is looking for?
2) Or can we come up with a standard set of attributes that will apply to all those ethertypes?
3) Should this even be approached from the security groups API perspective? What you are talking about here is link layer, whereas the security groups API is at the IP level, at least as it is today
Also you indicate that the aim is "implementing these controls in the OVS firewall". Shouldn't we be discussing in this RFE the entire thing and not just the addition of ethertypes?