Skip ARP protection if 0.0.0.0/0 in addr pairs
Don't setup ARP protection on ports with allowed address pairs that allow them to use any IP address. This is necessary because OVS doesn't support the /0 prefix in rules that match on ARP headers. Related-Bug: #1461054 Closes-Bug: #1468009 Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec
This commit is contained in:
parent
b257136e1c
commit
747738d365
|
@ -785,6 +785,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
|
||||
addresses = {ip for ip in addresses
|
||||
if netaddr.IPNetwork(ip).version == 4}
|
||||
if any(netaddr.IPNetwork(ip).prefixlen == 0 for ip in addresses):
|
||||
# don't try to install protection because a /0 prefix allows any
|
||||
# address anyway and the ARP_SPA can only match on /1 or more.
|
||||
return
|
||||
|
||||
bridge.install_arp_spoofing_protection(port=vif.ofport,
|
||||
ip_addresses=addresses)
|
||||
|
|
|
@ -158,6 +158,13 @@ class _ARPSpoofTestCase(object):
|
|||
self.dst_p.addr.add('%s/24' % self.dst_addr)
|
||||
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
|
||||
|
||||
def test_arp_spoof_allowed_address_pairs_0cidr(self):
|
||||
self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0',
|
||||
'1.2.3.4'])
|
||||
self.src_p.addr.add('%s/24' % self.src_addr)
|
||||
self.dst_p.addr.add('%s/24' % self.dst_addr)
|
||||
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
|
||||
|
||||
def test_arp_spoof_disable_port_security(self):
|
||||
# block first and then disable port security to make sure old rules
|
||||
# are cleared
|
||||
|
|
Loading…
Reference in New Issue