Comment 1 for bug 1274034

Édouard Thuleau (ethuleau) wrote :

I propose a draft patch (without UT) that corrects this bug (attached to that bug).
iptables is not able to prevent the ARP cache poisoning but ebtables could.

My proposed patch implements an ebtables manager and add a 'NWFilterFirewall' class that iptables firewall driver instantiates when security are enabled on a port.
I move MAC and IP spoofing protection to that class and I propose to delegate all the fist hop security (FHS) rules to the 'NWFilterFirewall' class.

Note: The security groups mix-in [1] implements by default some provider default rules (DHCP and RA). Should we delegate that to the 'NWFilterFirewall' class?

I also want to point you other IPv6 FHS rules we should prevent too (especially for IPv6, I think we have enough for IPv4 protection(IP, MAC, ARP, DHCPv4)).
I link [2][3] CISCO documents that list this FHS rules that their equipments implement by default.

My proposed patch is rebased on the Nachi's review [4]. I modified the list of 'vif_security' attributes to:
- require_iptables: Neutron requires an external service to support iptables,
- prevent_spoofing: Neutron requires an external service to prevent base spoofing,
- require_securitygroup: Neutron requires an external service to support security group.
Any though?

For the backport, I though we could use together the 'NWFilterFirewall' [5] driver as firewall_driver for Nova and the 'IptablesFirewallDriver' as Neutron firewall driver.
I just made a rapid test but I think Nova will need a small patch to be able to do that (some mother class 'FirewallDriver' methods need to be implemented by the 'NWFilterFirewall' class). Any though?
This bug should impact Havana and Grizzly stable releases.

[1] neutron/db/ line 284