Comment 13 for bug 1732294

Reviewed: https://review.openstack.org/520249
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=08108c41992a13c6959b717cccfe2b929e55d2eb
Submitter: Zuul
Branch: master

commit 08108c41992a13c6959b717cccfe2b929e55d2eb
Author: Brian Haley <email address hidden>
Date: Wed Nov 15 19:24:22 2017 -0500

    Move Linuxbridge ARP spoofing to nat table PREROUTING chain

    It was found that adding ebtables rules to the filter table
    FORWARD chain could be vulnerable to a DoS attack. Moving
    to the nat table PREROUTING chain should mitigate this as
    it is consulted prior to allowing the frame in.

    In order to make this work with upgrades, had to make the code
    detect and remove any old rules that might still exist in
    the filter table. That can be removed after a cycle.

    Added some unit tests in addition to the existing functional
    tests.

    Change-Id: I87852b21db4404c58c83789cc267812030ac7d5f
    Closes-bug: #1732294