Deprecate ARP spoofing protection option

This protection should always be enabled unless its explicitly shutoff via the port security extension via the API. The primary reason it was a config option was because it was merged at the end of Kilo development so it wasn't considered stable. Now that it has been enabled by default for all of Liberty and the development of Mitaka, it's a good idea to just get rid of the option completely. DocImpact: Remove references to prevent_arp_spoofing and replace with pointer to port security extension for disabling security features. Change-Id: Ib63ba8ae7050465a0786ea3d50c65f413f4ebe38
2016-02-15 09:27:42 -08:00 · 2016-02-15 09:27:42 -08:00 · 7bbacd49a4
parent 33eec87d78
commit 7bbacd49a4
2 changed files with 8 additions and 2 deletions
--- a/neutron/plugins/ml2/drivers/agent/config.py
+++ b/neutron/plugins/ml2/drivers/agent/config.py
@ -31,6 +31,7 @@ agent_opts = [
    # should be moved into a common agent config options location as part of
    # the deduplication work.
    cfg.BoolOpt('prevent_arp_spoofing', default=True,
+                deprecated_for_removal=True,
                help=_("Enable suppression of ARP responses that don't match "
                       "an IP address that belongs to the port from which "
                       "they originate. Note: This prevents the VMs attached "
@ -41,7 +42,9 @@ agent_opts = [
                       "added to any ports that have port security disabled. "
                       "For LinuxBridge, this requires ebtables. For OVS, it "
                       "requires a version that supports matching ARP "
-                       "headers."))
+                       "headers. This option will be removed in Newton so "
+                       "the only way to disable protection will be via the "
+                       "port security extension."))
 ]

 cfg.CONF.register_opts(agent_opts, "AGENT")
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/common/config.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/common/config.py
@ -122,6 +122,7 @@ agent_opts = [
                       "to respond to an ARP request locally without "
                       "performing a costly ARP broadcast into the overlay.")),
    cfg.BoolOpt('prevent_arp_spoofing', default=True,
+                deprecated_for_removal=True,
                help=_("Enable suppression of ARP responses that don't match "
                       "an IP address that belongs to the port from which "
                       "they originate. Note: This prevents the VMs attached "
@ -132,7 +133,9 @@ agent_opts = [
                       "added to any ports that have port security disabled. "
                       "For LinuxBridge, this requires ebtables. For OVS, it "
                       "requires a version that supports matching ARP "
-                       "headers.")),
+                       "headers. This option will be removed in Newton so "
+                       "the only way to disable protection will be via the "
+                       "port security extension.")),
    cfg.BoolOpt('dont_fragment', default=True,
                help=_("Set or un-set the don't fragment (DF) bit on "
                       "outgoing IP packet carrying GRE/VXLAN tunnel.")),