Revert "[OVN] Set 'unknown' address properly when port sec is disabled"

We can now revert this patch, because main cause has been already fixed in Core OVN [1]. With this fix the ARP responder flows are not installed on LS pipeline, when LSP has port security disabled, and an 'unknown' address is set in addresses column. This makes MAC spoofing possible. [1] https://patchwork.ozlabs.org/patch/1258152/ This reverts commit 03b87ad963. Change-Id: Ie4c87d325b671348e133d62818d99af147d50ca2 Closes-Bug: #1864027
2020-02-20 11:27:13 +00:00 · 2020-02-20 11:27:13 +00:00 · 3d3b61f879
parent 6d0b8890b9
commit 3d3b61f879
3 changed files with 5 additions and 9 deletions
--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py
+++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py
@ -500,7 +500,7 @@ class DBInconsistenciesPeriodics(SchemaAwarePeriodicsBase):
            type_ = port.type.strip()
            if not port.port_security:
                if not type_ and ovn_const.UNKNOWN_ADDR not in addresses:
-                    addresses = [ovn_const.UNKNOWN_ADDR]
+                    addresses.append(ovn_const.UNKNOWN_ADDR)
                elif type_ and ovn_const.UNKNOWN_ADDR in addresses:
                    addresses.remove(ovn_const.UNKNOWN_ADDR)
            else:
--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
+++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
@ -277,10 +277,7 @@ class OVNClient(object):
                # OVN allows any mac address from a port if "unknown"
                # is added to the Logical_Switch_Port.addresses column.
                # So add it.
-                addresses = [ovn_const.UNKNOWN_ADDR]
-            else:
-                addresses = [address]
-                addresses.extend(new_macs)
+                addresses.append(ovn_const.UNKNOWN_ADDR)

        dhcpv4_options = self._get_port_dhcp_options(port, const.IP_VERSION_4)
        dhcpv6_options = self._get_port_dhcp_options(port, const.IP_VERSION_6)
--- a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
@ -405,9 +405,8 @@ class TestOVNMechanismDriver(test_plugin.Ml2PluginV2TestCase):
                    self.assertEqual([],
                                     called_args_dict.get('port_security'))

-                    self.assertEqual(1, len(called_args_dict.get('addresses')))
                    self.assertEqual(ovn_const.UNKNOWN_ADDR,
-                                     called_args_dict.get('addresses')[0])
+                                     called_args_dict.get('addresses')[1])
                    data = {'port': {'mac_address': '00:00:00:00:00:01'}}
                    req = self.new_update_request(
                        'ports',
@ -419,9 +418,9 @@ class TestOVNMechanismDriver(test_plugin.Ml2PluginV2TestCase):
                         ).call_args_list[0][1])
                    self.assertEqual([],
                                     called_args_dict.get('port_security'))
-                    self.assertEqual(1, len(called_args_dict.get('addresses')))
+                    self.assertEqual(2, len(called_args_dict.get('addresses')))
                    self.assertEqual(ovn_const.UNKNOWN_ADDR,
-                                     called_args_dict.get('addresses')[0])
+                                     called_args_dict.get('addresses')[1])

                    # Enable port security
                    data = {'port': {'port_security_enabled': 'True'}}