Merge "Don't drop ARP table jump during OVS rewiring"
This commit is contained in:
commit
7490891157
|
@ -206,5 +206,8 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
||||||
match = self._icmpv6_reply_match(ofp, ofpp, port=port)
|
match = self._icmpv6_reply_match(ofp, ofpp, port=port)
|
||||||
self.delete_flows(table_id=constants.LOCAL_SWITCHING,
|
self.delete_flows(table_id=constants.LOCAL_SWITCHING,
|
||||||
match=match)
|
match=match)
|
||||||
|
self.delete_arp_spoofing_allow_rules(port)
|
||||||
|
|
||||||
|
def delete_arp_spoofing_allow_rules(self, port):
|
||||||
self.delete_flows(table_id=constants.ARP_SPOOF_TABLE,
|
self.delete_flows(table_id=constants.ARP_SPOOF_TABLE,
|
||||||
in_port=port)
|
in_port=port)
|
||||||
|
|
|
@ -149,5 +149,8 @@ class OVSIntegrationBridge(ovs_bridge.OVSAgentBridge):
|
||||||
self.delete_flows(table_id=constants.LOCAL_SWITCHING,
|
self.delete_flows(table_id=constants.LOCAL_SWITCHING,
|
||||||
in_port=port, nw_proto=const.PROTO_NUM_ICMP_V6,
|
in_port=port, nw_proto=const.PROTO_NUM_ICMP_V6,
|
||||||
icmp_type=const.ICMPV6_TYPE_NA)
|
icmp_type=const.ICMPV6_TYPE_NA)
|
||||||
|
self.delete_arp_spoofing_allow_rules(port)
|
||||||
|
|
||||||
|
def delete_arp_spoofing_allow_rules(self, port):
|
||||||
self.delete_flows(table_id=constants.ARP_SPOOF_TABLE,
|
self.delete_flows(table_id=constants.ARP_SPOOF_TABLE,
|
||||||
in_port=port)
|
in_port=port)
|
||||||
|
|
|
@ -879,17 +879,19 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def setup_arp_spoofing_protection(bridge, vif, port_details):
|
def setup_arp_spoofing_protection(bridge, vif, port_details):
|
||||||
# clear any previous flows related to this port in our ARP table
|
|
||||||
bridge.delete_arp_spoofing_protection(port=vif.ofport)
|
|
||||||
if not port_details.get('port_security_enabled', True):
|
if not port_details.get('port_security_enabled', True):
|
||||||
LOG.info(_LI("Skipping ARP spoofing rules for port '%s' because "
|
LOG.info(_LI("Skipping ARP spoofing rules for port '%s' because "
|
||||||
"it has port security disabled"), vif.port_name)
|
"it has port security disabled"), vif.port_name)
|
||||||
|
bridge.delete_arp_spoofing_protection(port=vif.ofport)
|
||||||
return
|
return
|
||||||
if port_details['device_owner'].startswith(
|
if port_details['device_owner'].startswith(
|
||||||
n_const.DEVICE_OWNER_NETWORK_PREFIX):
|
n_const.DEVICE_OWNER_NETWORK_PREFIX):
|
||||||
LOG.debug("Skipping ARP spoofing rules for network owned port "
|
LOG.debug("Skipping ARP spoofing rules for network owned port "
|
||||||
"'%s'.", vif.port_name)
|
"'%s'.", vif.port_name)
|
||||||
|
bridge.delete_arp_spoofing_protection(port=vif.ofport)
|
||||||
return
|
return
|
||||||
|
# clear any previous flows related to this port in our ARP table
|
||||||
|
bridge.delete_arp_spoofing_allow_rules(port=vif.ofport)
|
||||||
# collect all of the addresses and cidrs that belong to the port
|
# collect all of the addresses and cidrs that belong to the port
|
||||||
addresses = {f['ip_address'] for f in port_details['fixed_ips']}
|
addresses = {f['ip_address'] for f in port_details['fixed_ips']}
|
||||||
mac_addresses = {vif.vif_mac}
|
mac_addresses = {vif.vif_mac}
|
||||||
|
@ -921,6 +923,8 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
||||||
# match on /1 or more.
|
# match on /1 or more.
|
||||||
bridge.install_arp_spoofing_protection(port=vif.ofport,
|
bridge.install_arp_spoofing_protection(port=vif.ofport,
|
||||||
ip_addresses=ipv4_addresses)
|
ip_addresses=ipv4_addresses)
|
||||||
|
else:
|
||||||
|
bridge.delete_arp_spoofing_protection(port=vif.ofport)
|
||||||
|
|
||||||
def port_unbound(self, vif_id, net_uuid=None):
|
def port_unbound(self, vif_id, net_uuid=None):
|
||||||
'''Unbind port.
|
'''Unbind port.
|
||||||
|
|
|
@ -1487,7 +1487,7 @@ class TestOvsNeutronAgent(object):
|
||||||
self.agent.setup_arp_spoofing_protection(int_br, vif, fake_details)
|
self.agent.setup_arp_spoofing_protection(int_br, vif, fake_details)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
[mock.call(port=vif.ofport)],
|
[mock.call(port=vif.ofport)],
|
||||||
int_br.delete_arp_spoofing_protection.mock_calls)
|
int_br.delete_arp_spoofing_allow_rules.mock_calls)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
[mock.call(ip_addresses=set(), port=vif.ofport)],
|
[mock.call(ip_addresses=set(), port=vif.ofport)],
|
||||||
int_br.install_arp_spoofing_protection.mock_calls)
|
int_br.install_arp_spoofing_protection.mock_calls)
|
||||||
|
@ -1501,7 +1501,7 @@ class TestOvsNeutronAgent(object):
|
||||||
self.agent.setup_arp_spoofing_protection(br, vif, fake_details)
|
self.agent.setup_arp_spoofing_protection(br, vif, fake_details)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
[mock.call(port=vif.ofport)],
|
[mock.call(port=vif.ofport)],
|
||||||
br.delete_arp_spoofing_protection.mock_calls)
|
br.delete_arp_spoofing_allow_rules.mock_calls)
|
||||||
self.assertTrue(br.install_icmpv6_na_spoofing_protection.called)
|
self.assertTrue(br.install_icmpv6_na_spoofing_protection.called)
|
||||||
|
|
||||||
def test_arp_spoofing_fixed_and_allowed_addresses(self):
|
def test_arp_spoofing_fixed_and_allowed_addresses(self):
|
||||||
|
|
Loading…
Reference in New Issue