Enable ARP spoofing prevention by default
Turn on the ARP spoofing prevention added in I7c079b779245a0af6bc793564fa8a560e4226afe by default. It was disabled by default since it was going into Kilo at the last minute and we didn't want to risk shipping with a default that might have broken an edge case that we didn't consider. This patch enables it by default since there shouldn't be any need to have it disabled. Change-Id: Id17939914ebf8292dce76ccb7d0f6486c91f49e5
This commit is contained in:
Kevin Benton
parent
9c0f00a0a7
commit
012840e2f5
|
|
@ -106,7 +106,7 @@
|
|||
# (e.g. bare metal or VMs attached to agents without this flag set to True).
|
||||
# Requires a version of OVS that can match ARP headers.
|
||||
#
|
||||
# prevent_arp_spoofing = False
|
||||
# prevent_arp_spoofing = True
|
||||
|
||||
# (BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet
|
||||
# carrying GRE/VXLAN tunnel. The default value is True.
|
||||
|
|
|
|||
|
|
@ -74,7 +74,7 @@ agent_opts = [
|
|||
"Allows the switch (when supporting an overlay) "
|
||||
"to respond to an ARP request locally without "
|
||||
"performing a costly ARP broadcast into the overlay.")),
|
||||
cfg.BoolOpt('prevent_arp_spoofing', default=False,
|
||||
cfg.BoolOpt('prevent_arp_spoofing', default=True,
|
||||
help=_("Enable suppression of ARP responses that don't match "
|
||||
"an IP address that belongs to the port from which "
|
||||
"they originate. Note: This prevents the VMs attached "
|
||||
|
|
|
|||
|
|
@ -106,6 +106,7 @@ class TestOvsNeutronAgent(base.BaseTestCase):
|
|||
'neutron.agent.firewall.NoopFirewallDriver',
|
||||
group='SECURITYGROUP')
|
||||
cfg.CONF.set_default('quitting_rpc_timeout', 10, 'AGENT')
|
||||
cfg.CONF.set_default('prevent_arp_spoofing', False, 'AGENT')
|
||||
kwargs = ovs_neutron_agent.create_agent_config_map(cfg.CONF)
|
||||
|
||||
class MockFixedIntervalLoopingCall(object):
|
||||
|
|
|
|||
Loading…
Reference in New Issue