From 86b5bbd25c1231b597d71dfa00e264629b36fbf6 Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Wed, 3 Jun 2015 15:20:27 -0700 Subject: [PATCH] Skip ARP protection if 0.0.0.0/0 in addr pairs Don't setup ARP protection on ports with allowed address pairs that allow them to use any IP address. Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec --- neutron/plugins/openvswitch/agent/ovs_neutron_agent.py | 4 ++++ neutron/tests/functional/agent/test_ovs_flows.py | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py index 7673a67..e4e694b 100644 --- a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py +++ b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py @@ -778,6 +778,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin, addresses = {ip for ip in addresses if netaddr.IPNetwork(ip).version == 4} + if '0.0.0.0/0' in addresses: + # don't try to install protection because a /0 prefix allows any + # address anyway and the ARP_SPA can only match on /1 or more. + return bridge.install_arp_spoofing_protection(port=vif.ofport, ip_addresses=addresses) diff --git a/neutron/tests/functional/agent/test_ovs_flows.py b/neutron/tests/functional/agent/test_ovs_flows.py index bf9936d..3a1df7f 100644 --- a/neutron/tests/functional/agent/test_ovs_flows.py +++ b/neutron/tests/functional/agent/test_ovs_flows.py @@ -156,6 +156,13 @@ class _ARPSpoofTestCase(object): self.dst_p.addr.add('%s/24' % self.dst_addr) self.pinger.assert_ping(self.dst_addr) + def test_arp_spoof_allowed_address_pairs_0cidr(self): + self._setup_arp_spoof_for_port(self.dst_p.name, ['0.0.0.0/0', + '1.2.3.4']) + self.src_p.addr.add('%s/24' % self.src_addr) + self.dst_p.addr.add('%s/24' % self.dst_addr) + self.pinger.assert_ping(self.dst_addr) + def test_arp_spoof_disable_port_security(self): # block first and then disable port security to make sure old rules # are cleared -- 1.9.1