Skip ARP protection if 0.0.0.0/0 in addr pairs

Don't setup ARP protection on ports with allowed address pairs
that allow them to use any IP address. This is necessary because
OVS doesn't support the /0 prefix in rules that match on ARP headers.

Related-Bug: #1461054
Closes-Bug: #1468009
Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec
This commit is contained in:
Kevin Benton 2015-06-03 15:20:27 -07:00
parent b257136e1c
commit 747738d365
2 changed files with 11 additions and 0 deletions

View File

@ -785,6 +785,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
addresses = {ip for ip in addresses
if netaddr.IPNetwork(ip).version == 4}
if any(netaddr.IPNetwork(ip).prefixlen == 0 for ip in addresses):
# don't try to install protection because a /0 prefix allows any
# address anyway and the ARP_SPA can only match on /1 or more.
return
bridge.install_arp_spoofing_protection(port=vif.ofport,
ip_addresses=addresses)

View File

@ -158,6 +158,13 @@ class _ARPSpoofTestCase(object):
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
def test_arp_spoof_allowed_address_pairs_0cidr(self):
self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0',
'1.2.3.4'])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def test_arp_spoof_disable_port_security(self):
# block first and then disable port security to make sure old rules
# are cleared