Merge "Don't drop ARP table jump during OVS rewiring"
This commit is contained in:
commit
7490891157
|
@ -206,5 +206,8 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
|||
match = self._icmpv6_reply_match(ofp, ofpp, port=port)
|
||||
self.delete_flows(table_id=constants.LOCAL_SWITCHING,
|
||||
match=match)
|
||||
self.delete_arp_spoofing_allow_rules(port)
|
||||
|
||||
def delete_arp_spoofing_allow_rules(self, port):
|
||||
self.delete_flows(table_id=constants.ARP_SPOOF_TABLE,
|
||||
in_port=port)
|
||||
|
|
|
@ -149,5 +149,8 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
|||
self.delete_flows(table_id=constants.LOCAL_SWITCHING,
|
||||
in_port=port, nw_proto=const.PROTO_NUM_ICMP_V6,
|
||||
icmp_type=const.ICMPV6_TYPE_NA)
|
||||
self.delete_arp_spoofing_allow_rules(port)
|
||||
|
||||
def delete_arp_spoofing_allow_rules(self, port):
|
||||
self.delete_flows(table_id=constants.ARP_SPOOF_TABLE,
|
||||
in_port=port)
|
||||
|
|
|
@ -879,17 +879,19 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
|
||||
@staticmethod
|
||||
def setup_arp_spoofing_protection(bridge, vif, port_details):
|
||||
# clear any previous flows related to this port in our ARP table
|
||||
bridge.delete_arp_spoofing_protection(port=vif.ofport)
|
||||
if not port_details.get('port_security_enabled', True):
|
||||
LOG.info(_LI("Skipping ARP spoofing rules for port '%s' because "
|
||||
"it has port security disabled"), vif.port_name)
|
||||
bridge.delete_arp_spoofing_protection(port=vif.ofport)
|
||||
return
|
||||
if port_details['device_owner'].startswith(
|
||||
n_const.DEVICE_OWNER_NETWORK_PREFIX):
|
||||
LOG.debug("Skipping ARP spoofing rules for network owned port "
|
||||
"'%s'.", vif.port_name)
|
||||
bridge.delete_arp_spoofing_protection(port=vif.ofport)
|
||||
return
|
||||
# clear any previous flows related to this port in our ARP table
|
||||
bridge.delete_arp_spoofing_allow_rules(port=vif.ofport)
|
||||
# collect all of the addresses and cidrs that belong to the port
|
||||
addresses = {f['ip_address'] for f in port_details['fixed_ips']}
|
||||
mac_addresses = {vif.vif_mac}
|
||||
|
@ -921,6 +923,8 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
# match on /1 or more.
|
||||
bridge.install_arp_spoofing_protection(port=vif.ofport,
|
||||
ip_addresses=ipv4_addresses)
|
||||
else:
|
||||
bridge.delete_arp_spoofing_protection(port=vif.ofport)
|
||||
|
||||
def port_unbound(self, vif_id, net_uuid=None):
|
||||
'''Unbind port.
|
||||
|
|
|
@ -1487,7 +1487,7 @@ class TestOvsNeutronAgent(object):
|
|||
self.agent.setup_arp_spoofing_protection(int_br, vif, fake_details)
|
||||
self.assertEqual(
|
||||
[mock.call(port=vif.ofport)],
|
||||
int_br.delete_arp_spoofing_protection.mock_calls)
|
||||
int_br.delete_arp_spoofing_allow_rules.mock_calls)
|
||||
self.assertEqual(
|
||||
[mock.call(ip_addresses=set(), port=vif.ofport)],
|
||||
int_br.install_arp_spoofing_protection.mock_calls)
|
||||
|
@ -1501,7 +1501,7 @@ class TestOvsNeutronAgent(object):
|
|||
self.agent.setup_arp_spoofing_protection(br, vif, fake_details)
|
||||
self.assertEqual(
|
||||
[mock.call(port=vif.ofport)],
|
||||
br.delete_arp_spoofing_protection.mock_calls)
|
||||
br.delete_arp_spoofing_allow_rules.mock_calls)
|
||||
self.assertTrue(br.install_icmpv6_na_spoofing_protection.called)
|
||||
|
||||
def test_arp_spoofing_fixed_and_allowed_addresses(self):
|
||||
|
|
Loading…
Reference in New Issue