neutron

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1938670
Comment #2

Comment 2 for bug 1938670

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2021-08-10: Re: linuxbridge: ebtables-nft allows ARP spoofing

Hello:

Thank you for the report. That was solved in master and W in [1]. This patch flushes or creates the related "vif_chain" and then adds a default DROP rule [2][3].

I'll backport this patch up to Queens. Although the patch description is not related to this one, it is indeed solving what is described.

Regards.

[1]https://review.opendev.org/q/I9463b000f6f63e65aaf91d60b30f6c92c01e3baf
[2]https://review.opendev.org/c/openstack/neutron/+/785177/3/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py#122
[3]https://review.opendev.org/c/openstack/neutron/+/785177/3/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py#128