neutron

OVS-agent: "invalid IP address" in arp spoofing protection

Series kilo
Bug #1449363

Bug #1449363 reported by YAMAMOTO Takashi on 2015-04-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Kevin Benton	neutron 7.0.0 "liberty"
	Kilo	Fix Committed	Undecided	Unassigned

Bug Description

arp spoofing code tries to install flows with arp_spa=ipv6_address and ovs-ofctl correctly complains.

2015-04-26 00:17:36.844 ERROR neutron.agent.linux.utils [req-f516905e-77b4-4975-
8b8d-5b3669cdda0d None None]
Command: ['ovs-ofctl', 'add-flows', 'br-int', '-']
Exit code: 1
Stdin: hard_timeout=0,idle_timeout=0,priority=2,arp,arp_spa=2003::3,arp_op=0x2,table=24,in_port=197,actions=normal
Stdout:
Stderr: ovs-ofctl: -:1: 2003::3: invalid IP address

http://logstash.openstack.org/#eyJzZWFyY2giOiJtZXNzYWdlOlwiaW52YWxpZCBJUCBhZGRyZXNzXCIgYW5kIGZpbGVuYW1lOiBcInEtYWd0LmxvZy5nelwiIiwiZmllbGRzIjpbXSwib2Zmc2V0IjowLCJ0aW1lZnJhbWUiOiIxNzI4MDAiLCJncmFwaG1vZGUiOiJjb3VudCIsInRpbWUiOnsidXNlcl9pbnRlcnZhbCI6MH0sInN0YW1wIjoxNDMwMTk4NDczMjM3fQ==

Tags:

OpenStack Infra (hudson-openstack) on 2015-04-28

Changed in neutron:
assignee:	nobody → YAMAMOTO Takashi (yamamoto)
status:	New → In Progress

Revision history for this message

YAMAMOTO Takashi (yamamoto) wrote on 2015-04-28:

https://review.openstack.org/#/c/178037/

OpenStack Infra (hudson-openstack) on 2015-05-05

Changed in neutron:
assignee:	YAMAMOTO Takashi (yamamoto) → Kevin Benton (kevinbenton)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-06: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/178037
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dbe7ba1868f35af0142f78c70693ed69e6f42ca3
Submitter: Jenkins
Branch: master

commit dbe7ba1868f35af0142f78c70693ed69e6f42ca3
Author: YAMAMOTO Takashi <email address hidden>
Date: Tue Apr 28 12:37:22 2015 +0900

OVS-agent: Ignore IPv6 addresses for ARP spoofing prevention

    The flow rules to match on ARP headers for spoofing prevention
    fail to install when an IPv6 address is used. These should be
    skipped since the ARP spoofing prevention doesn't apply to IPv6.

    Co-authored-by: Kevin Benton <email address hidden>
    Closes-Bug: #1449363
    Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde

Changed in neutron:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-06: Fix proposed to neutron (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/180621

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-22: Fix proposed to neutron (neutron-pecan)

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-01: Fix merged to neutron (stable/kilo)

Reviewed: https://review.openstack.org/180621
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c2869b7118c0c5fa71e33411cf557f962e1ab279
Submitter: Jenkins
Branch: stable/kilo

commit c2869b7118c0c5fa71e33411cf557f962e1ab279
Author: YAMAMOTO Takashi <email address hidden>
Date: Tue Apr 28 12:37:22 2015 +0900

OVS-agent: Ignore IPv6 addresses for ARP spoofing prevention

    The flow rules to match on ARP headers for spoofing prevention
    fail to install when an IPv6 address is used. These should be
    skipped since the ARP spoofing prevention doesn't apply to IPv6.

Conflicts:
neutron/tests/common/machine_fixtures.py

    Co-authored-by: Kevin Benton <email address hidden>
    Closes-Bug: #1449363
    Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde
    (cherry picked from commit dbe7ba1868f35af0142f78c70693ed69e6f42ca3)

tags:

added: in-stable-kilo

Thierry Carrez (ttx) on 2015-06-24

Changed in neutron:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in neutron:
milestone:	liberty-1 → 7.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.