Release: Pike
Environment: Ubuntu 16.04
Neutron ML2 Plugin: Linux Bridge Vlan
Problem: cannot turn off arp_spoofing on linuxbridge ml2
Background:
According to Pike release notes linuxbridge agent parameter “prevent_arp_spoofing” has been depreciated. Instead, in order to disable arp_spoofing (ebtables) on the Port, the Port’s attribute “port_security_enabled” should be set to false and no security group is on that port. Further, the Pike documentation says that the Network (and Port) “port_security_enabled” is True by default and the Port’s value if not explicitly set will default to the Networks value”.
Problem:
Given the linuxBridge_agent config below and the Network and Port attribute “port_security_enabled” set to False, with no security group arp_spoofing is being established on the port. Further we are finding that the default “port_security_enabled” value for Networks and Ports are actually set to “false” contrary to the documentation.
Diagnostics:
We’ve been able to trace the port’s “port_security_enabled” value through the plugin and we’ve found that at some point that we haven’t identified yet the value is being set from false to true. In the module, arp_protect.py::setup_arp_spoofing_proteciton() we’ve printed out the port’s value and have prior to the if statement and have found that the value has been previously set to True, which at this point drops through the if statement to enable ebtables values on the port. We’ve tried to trace the value back up the stack but have not found where it is being reset. Any thoughts? Is this a bug or are we missing a configuration somewhere? As a work-around we will set the value to false in our environment.
++ linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings=physnet1:eth2,physnet2:eth1,physnet3:eth3
[vxlan]
enable_vxlan=false
[agent]
prevent_arp_spoofing=false
[ml2_type_vlan]
network_vlan_ranges=physnet1:55:55,physnet2:50:50,physnet3:210:215
[ml2]
type_drivers=vlan, local
mechanism_drivers=linuxbridge
[securitygroup]
enable_security_group=false
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
Hi @Ridsai,
Several things to check:
* Did you add 'port_security' to the list of 'extension_ drivers' ? For example:
[ml2]
extension_drivers = port_security
* Did you see the API extension "port-security"?
$ openstack extension list --network | grep "port-security"
| Port Security | port-security | Provides port security |
If you configure the extension_drivers properly and see "port-security" extension, you should be able to disable port security thus turning off arp_spoofing