Enable ARP spoofing protection for Neutron
ARP Spoofing protection in Neutron should be enabled be default Upstream patch: https://review.openstack.org/#/c/225131 Patch for master branch: https://review.fuel-infra.org/#/c/11865/ Closes-bug: #1496336 Change-Id: If7b25f0618f40040714b6e54c1498dd959c2a610
This commit is contained in:
parent
0623b4daad
commit
92a356fadd
@ -97,6 +97,10 @@
|
||||
# flow tables resetting
|
||||
# Defaults to false
|
||||
#
|
||||
# [*prevent_arp_spoofing*]
|
||||
# (optional) Enable or not ARP Spoofing Protection
|
||||
# Defaults to false
|
||||
#
|
||||
class neutron::agents::ml2::ovs (
|
||||
$package_ensure = 'present',
|
||||
$enabled = true,
|
||||
@ -115,6 +119,7 @@ class neutron::agents::ml2::ovs (
|
||||
$firewall_driver = 'neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver',
|
||||
$enable_distributed_routing = false,
|
||||
$drop_flows_on_start = false,
|
||||
$prevent_arp_spoofing = false,
|
||||
) {
|
||||
|
||||
include ::neutron::params
|
||||
@ -176,6 +181,7 @@ class neutron::agents::ml2::ovs (
|
||||
'agent/arp_responder': value => $arp_responder;
|
||||
'agent/enable_distributed_routing': value => $enable_distributed_routing;
|
||||
'agent/drop_flows_on_start': value => $drop_flows_on_start;
|
||||
'agent/prevent_arp_spoofing': value => $prevent_arp_spoofing;
|
||||
'ovs/integration_bridge': value => $integration_bridge;
|
||||
}
|
||||
|
||||
|
@ -20,7 +20,8 @@ describe 'neutron::agents::ml2::ovs' do
|
||||
:arp_responder => false,
|
||||
:enable_distributed_routing => false,
|
||||
:drop_flows_on_start => false,
|
||||
:firewall_driver => 'neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver' }
|
||||
:firewall_driver => 'neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver',
|
||||
:prevent_arp_spoofing => false }
|
||||
end
|
||||
|
||||
let :default_facts do
|
||||
@ -44,6 +45,7 @@ describe 'neutron::agents::ml2::ovs' do
|
||||
is_expected.to contain_neutron_agent_ovs('agent/polling_interval').with_value(p[:polling_interval])
|
||||
is_expected.to contain_neutron_agent_ovs('agent/l2_population').with_value(p[:l2_population])
|
||||
is_expected.to contain_neutron_agent_ovs('agent/arp_responder').with_value(p[:arp_responder])
|
||||
is_expected.to contain_neutron_agent_ovs('agent/prevent_arp_spoofing').with_value(p[:prevent_arp_spoofing])
|
||||
is_expected.to contain_neutron_agent_ovs('agent/drop_flows_on_start').with_value(p[:drop_flows_on_start])
|
||||
is_expected.to contain_neutron_agent_ovs('ovs/integration_bridge').with_value(p[:integration_bridge])
|
||||
is_expected.to contain_neutron_agent_ovs('securitygroup/firewall_driver').\
|
||||
@ -101,6 +103,15 @@ describe 'neutron::agents::ml2::ovs' do
|
||||
end
|
||||
end
|
||||
|
||||
context 'when enabling ARP Spoofing Protection' do
|
||||
before :each do
|
||||
params.merge!(:prevent_arp_spoofing => true)
|
||||
end
|
||||
it 'should enable ARP Spoofing Protection' do
|
||||
is_expected.to contain_neutron_agent_ovs('agent/prevent_arp_spoofing').with_value(true)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when enabling DVR' do
|
||||
before :each do
|
||||
params.merge!(:enable_distributed_routing => true,
|
||||
|
@ -94,6 +94,7 @@ class openstack::network::neutron_agents (
|
||||
tunnel_types => $tunnel_types,
|
||||
enable_distributed_routing => $agent_mode ? { 'legacy' => false, default => true},
|
||||
l2_population => $l2_population,
|
||||
prevent_arp_spoofing => true,
|
||||
manage_service => true,
|
||||
enabled => true,
|
||||
}
|
||||
|
@ -53,6 +53,12 @@ describe manifest do
|
||||
'drop_flows_on_start' => 'false',
|
||||
)
|
||||
end
|
||||
|
||||
it 'should declare neutron::agents::ml2::ovs with prevent_arp_spoofing enabled' do
|
||||
should contain_class('neutron::agents::ml2::ovs').with(
|
||||
'prevent_arp_spoofing' => 'true',
|
||||
)
|
||||
end
|
||||
else
|
||||
it 'should declare openstack::network with neutron_server parameter set to false' do
|
||||
should contain_class('openstack::network').with(
|
||||
|
@ -37,6 +37,12 @@ describe manifest do
|
||||
)
|
||||
end
|
||||
|
||||
it 'should declare neutron::agents::ml2::ovs with prevent_arp_spoofing enabled' do
|
||||
should contain_class('neutron::agents::ml2::ovs').with(
|
||||
'prevent_arp_spoofing' => 'true',
|
||||
)
|
||||
end
|
||||
|
||||
it 'should declare neutron::agents::dhcp with isolated metadata enabled' do
|
||||
should contain_class('neutron::agents::dhcp').with(
|
||||
'enable_isolated_metadata' => 'true',
|
||||
|
Loading…
Reference in New Issue
Block a user